SSH is a Secure Shell, used for data communication in a secure manner. The port number for ssh communication is 22.
To connect to any server via ssh, server should run ssh-server and client should run ssh-client. To connect to Linux server via from windows system we need an application called putty. From putty we can establish ssh connection to any required server. To download putty.
This is how we connect to the server.
ssh someserver.com
Some times, hackers will be trying to make our server busy by giving wrong username and password to the server. so every time our server will reply “username or password entered wrong”. By this way a legitimate user get affected because server will be busy in replying to this user(hacker). Hence hacker can achieve Denial of Service simply DoS. Hacker will do this with the help of bot or Scripts. This bot or scripts will try to ssh some server and give some random password. So the best practice is to block this type of fake request.
Lets see how we can achieve this.
command name lastb : This will displays list of recent bad login attempts from the file /var/log/btmp.
su - root lastb
Sample O/P of lastb
r00t ssh:notty 123.13.201.202 Fri Apr 1 07:48 - 07:48 (00:00) r00t ssh:notty 123.13.201.202 Fri Apr 1 07:48 - 07:48 (00:00) root ssh:notty 123.13.201.202 Fri Apr 1 07:47 - 07:47 (00:00) root ssh:notty 123.13.201.202 Fri Apr 1 07:47 - 07:47 (00:00) root ssh:notty 123.13.201.202 Fri Apr 1 07:47 - 07:47 (00:00) teamspea ssh:notty 123.13.201.202 Fri Apr 1 07:47 - 07:47 (00:00) teamspea ssh:notty 123.13.201.202 Fri Apr 1 07:47 - 07:47 (00:00)
File Name: iplist-ssh.sh.
This is the main file, it contains three sub files which it calls. Each file has some work to do.
Here, We are creating 3 files,
- readip-ssh.sh : Reading the IP and their number of attempts.
- leave.sh : Suppose you don’t want to block some IP, say that some IPs are from Local network.
- blk.sh : block the IP using iptables.
sh readip-ssh.sh > run.ssh.txt sh leave.sh sh blk.sh
File Name: readip-ssh.sh
# Note: The following script will show the list of failed ssh login attempts their number of tries and IP address. Here I have taken 30 as threshold that is any IP with more than 30 attempts will be counted.
`lastb | awk '{ print $3 }' > man.txt` file=man.txt for ip in `cat $file |cut -d ' ' -f 3 |sort |uniq`; do { count=`grep ^$ip $file |wc -l`; if [[ "$count" -gt "30" ]]; then echo "$count: $ip"; fi }; done
Sample O/P of the file run.ssh.txt:
368: 111.1.37.186 104: 202.116.50.67 548: 203.116.18.165 454: 211.252.223.202
File Name: leave.sh
awk –f 2.awk /root/project/run.ssh.txt
File Name: 2.awk
# suppose we want ignore some IP, let’s say some IPs are from local network we don’t want to count it. For example, I want to ignore all IPs from 192.168.41.* and so on. Here ‘*’ is a wildcard.
{ If ($2 !~ / 10\.10\.15\.1/ && $2 !~ /192\.168\.41\.*/) Print ($2) >> ip.block }
Now in ip.block file, we have list of IPs that is ready to be block.
This can be done by two ways,
- Using by IP Tables
- In deny hosts file
1. Using by IP Tables.
File Name: blk.sh
blk=”/root/ project/ip.block” ip=$(grep -Ev "^#" $blk) for i in $ip do iptables -A INPUT -s $i -j DROP iptables -A OUTPUT -d $i -j DROP done
2. In deny hosts file
Have a entry in a file /etc/hosts.deny, this will automatically block the IP.