How to Block failed SSH logging attempts ?

Written by sathish. Posted in Linux

SSH is a Secure Shell, used for data communication in a secure manner. The port number for ssh communication is 22.

To connect to any server via ssh, server should run ssh-server and client should run ssh-client. To connect to Linux server via from windows system we need an application called putty. From putty we can establish ssh connection to any required server. To download putty.

This is how we connect to the server.
ssh someserver.com

Some times, hackers will be trying to make our server busy by giving wrong username and password to the server. so every time our server will reply “username or password entered wrong”. By this way a legitimate user get affected because server will be busy in replying to this user(hacker). Hence hacker can achieve Denial of Service simply DoS. Hacker will do this with the help of bot or Scripts. This bot or scripts will try to ssh some server and give some random password.  So the best practice is to block this type of fake request.

Lets see how we can achieve this.

command name lastb : This will displays list of recent bad login attempts from the file /var/log/btmp.

su - root
lastb
Sample O/P of lastb
r00t     ssh:notty    123.13.201.202   Fri Apr  1 07:48 - 07:48  (00:00)
r00t     ssh:notty    123.13.201.202   Fri Apr  1 07:48 - 07:48  (00:00)
root     ssh:notty    123.13.201.202   Fri Apr  1 07:47 - 07:47  (00:00)
root     ssh:notty    123.13.201.202   Fri Apr  1 07:47 - 07:47  (00:00)
root     ssh:notty    123.13.201.202   Fri Apr  1 07:47 - 07:47  (00:00)    
teamspea ssh:notty    123.13.201.202   Fri Apr  1 07:47 - 07:47  (00:00)    
teamspea ssh:notty    123.13.201.202   Fri Apr  1 07:47 - 07:47  (00:00)
  File Name: iplist-ssh.sh. This is the main file, it contains three sub files which it calls. Each file has some work to do. Here, We are creating  3 files,
  1. readip-ssh.sh : Reading the IP and their number of attempts.
  2. leave.sh : Suppose you don’t want to block some IP, say that some IPs are from Local network.
  3. blk.sh : block the IP using iptables.
File Name:iplist-ssh.sh
sh readip-ssh.sh > run.ssh.txt
sh leave.sh
sh blk.sh

File Name: readip-ssh.sh

# Note: The following script will show the list of failed ssh login attempts their number of tries and IP address. Here I have taken 30 as threshold that is any IP with more than 30 attempts will be counted.
`lastb | awk '{ print $3 }' > man.txt`
file=man.txt
for ip in `cat $file |cut -d ' ' -f 3 |sort |uniq`;
do
{
count=`grep ^$ip $file |wc -l`;
if [[ "$count" -gt "30" ]];
then echo "$count:   $ip";
fi
};
done
Sample O/P of the file run.ssh.txt:
368:   111.1.37.186
104:   202.116.50.67
548:   203.116.18.165
454:   211.252.223.202
 

File Name: leave.sh

awk –f 2.awk /root/project/run.ssh.txt

File Name: 2.awk

# suppose we want ignore some IP,  let’s say some IPs are from local network we don’t want to count it. For example, I want to ignore all IPs from 192.168.41.* and so on. Here  ‘*’ is a  wildcard.

{
If ($2 !~ / 10\.10\.15\.1/ && $2 !~ /192\.168\.41\.*/)
Print ($2) >> ip.block
}

Now in ip.block file, we have list of IPs that is ready to be block.

This can be done by two ways,

  1. Using by IP Tables
  2. In deny hosts file
1. Using by IP Tables. File Name: blk.sh
blk=”/root/ project/ip.block”
ip=$(grep -Ev "^#" $blk)
for i in $ip
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done

2. In deny hosts file

Have a entry in a file /etc/hosts.deny, this will automatically block the IP.

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
Loading...

Tags: , , , ,

Leave a comment

Techlister© - 2012