Pages

Saturday, March 15, 2014

Simple shell script to block failed ssh attempts


It’s annoying having scripts and bots attempting to ssh into your pbx server. If you have proper passwords they don’t stand a chance of getting in, but it’s not satisfying to ignore them while they create load and clutter up your log files with failed login messages.
There are many tools out there to monitor and block IP addresses that repeatedly attempt to connect. My needs were:
  • low memory (memory is precious on a VPS)
  • simple
  • customizable
After wasting time installing various complicated python and perl scripts, I found a clever use of awk that counts matches in a log file and I put together this simple shell script:
scan-secure.sh
#!/bin/sh

# scan /var/log/secure for ssh attempts
# use iptables to block the bad guys

# Looking for attempts on existing and non-existing users. For example:
# Nov  2 22:44:07 pbxer sshd[28318]: Failed password for root from 74.143.42.70 port 52416 ssh2
# Nov  3 00:06:57 pbxer sshd[31767]: Failed password for invalid user mat3 from 192.203.145.200 port 35841 ssh2

tail -1000 /var/log/secure | awk '/sshd/ && /Failed password for/ { if (/invalid user/) try[$13]++; else try[$11]++; }
END { for (h in try) if (try[h] > 4) print h; }' |
while read ip
do
 # note: check if IP is already blocked...
 /sbin/iptables -L -n | grep $ip > /dev/null
 if [ $? -eq 0 ] ; then
  # echo "already denied ip: [$ip]" ;
  true 
 else
  # echo "Subject: denying ip: $ip" | /usr/sbin/sendmail notify@email.com
  logger -p authpriv.notice "*** Blocking SSH attempt from: $ip"
  /sbin/iptables -I INPUT -s $ip -j DROP
 fi
done
awk does all the magic. It grabs relevant lines, splits the lines into tokens, stores IP addresses in a hash and counts how many times they were seen, and finally outputs all IP addresses that were seen more than four times.
For the first few days, it’s interesting to receive an email when IP addresses are banned. Add your email and comment out that line.
Once you’re sure that the script is working how you’d like, you can add it to cron so that it runs every few minutes. I found that every two minutes works for me.
 
crontab -e
# scan the secure log every 2 minutes
*/2 * * * * /root/scan-secure.sh
 
After a few months you might find that the iptables are started to get cluttered.
iptables -L -n
You can clean them out by “flushing” them.
iptables -F
Now sleep tight knowing that people aren’t continually coming by to see if you locked your doors.
Posted by Mr T at 1:18 PM 0 comments
Labels: , ,
Subscribe to: Posts (Atom)