It’s annoying having scripts and bots attempting to ssh into
your pbx server. If you have proper passwords they don’t stand a chance
of getting in, but it’s not satisfying to ignore them while they create
load and clutter up your log files with failed login messages.
There are many tools out there to monitor and block IP addresses that repeatedly attempt to connect. My needs were:
- low memory (memory is precious on a VPS)
- simple
- customizable
After wasting time installing various complicated python and perl scripts, I found a clever use of
awk that counts matches in a log file and I put together this simple shell script:
scan-secure.sh
#!/bin/sh
# scan /var/log/secure for ssh attempts
# use iptables to block the bad guys
# Looking for attempts on existing and non-existing users. For example:
# Nov 2 22:44:07 pbxer sshd[28318]: Failed password for root from 74.143.42.70 port 52416 ssh2
# Nov 3 00:06:57 pbxer sshd[31767]: Failed password for invalid user mat3 from 192.203.145.200 port 35841 ssh2
tail -1000 /var/log/secure | awk '/sshd/ && /Failed password for/ { if (/invalid user/) try[$13]++; else try[$11]++; }
END { for (h in try) if (try[h] > 4) print h; }' |
while read ip
do
# note: check if IP is already blocked...
/sbin/iptables -L -n | grep $ip > /dev/null
if [ $? -eq 0 ] ; then
# echo "already denied ip: [$ip]" ;
true
else
# echo "Subject: denying ip: $ip" | /usr/sbin/sendmail notify@email.com
logger -p authpriv.notice "*** Blocking SSH attempt from: $ip"
/sbin/iptables -I INPUT -s $ip -j DROP
fi
done
awk does all the
magic. It grabs relevant lines,
splits the lines into tokens, stores IP addresses in a hash and counts
how many times they were seen, and finally outputs all IP addresses that
were seen more than four times.
For the first few days, it’s interesting to receive an email when IP
addresses are banned. Add your email and comment out that line.
Once you’re sure that the script is working how you’d like, you can
add it to cron so that it runs every few minutes. I found that every two
minutes works for me.
crontab -e
# scan the secure log every 2 minutes
*/2 * * * * /root/scan-secure.sh
After a few months you might find that the iptables are started to get cluttered.
iptables -L -n
You can clean them out by “flushing” them.
iptables -F
Now sleep tight knowing that people aren’t continually coming by to see if you locked your doors.
