LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   ssh bruteforce (https://www.linuxquestions.org/questions/linux-newbie-8/ssh-bruteforce-4175411818/)

maail 06-16-2012 12:33 PM

ssh bruteforce
 
Hi all
how i can automatic denyy ip when some one do ssh bruteforce ....

allend 06-16-2012 12:42 PM

Welcome to LQ!

There is a sticky post in the LQ Security forum that talks about this issue. There is a link in the last post of that thread that is extremely comprehensive. http://www.linuxquestions.org/questi...ml#post2027930

Look at Fail2Ban as it should serve your needs.

maail 06-22-2012 10:04 AM

but i have script deny ssh bruteforce check it out
#!/bin/bash
#This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
#Chad
LOGFILE=”/var/log/secure”
HOSTSDENY=”/etc/hosts.deny”
BADCOUNT=”5"
# read logfile and look for invalid login attemps
grep sshd $LOGFILE |grep “Invalid user”| awk ‘{print $NF}’|sort|uniq -c|sort -n|sed “s/[[:space:]]*//” | while
read i
do
# read number of failed attempts
count=`echo $i | cut -d” ” -f1`
# read ip address from failed attempt
ip=`echo $i | cut -d” ” -f2`
#check hostdeny file to see if IP already exist
already=`grep $ip $HOSTSDENY | grep sshd`
#if IP does not exist add it to hostdeny file
if [ -z "$already" ]
then
if [ "$count" -ge "$BADCOUNT" ]
then
echo “sshd: “$ip >> $HOSTSDENY
fi
fi
done


so how about this script .....

custangro 06-22-2012 10:17 AM

Quote:

Originally Posted by maail (Post 4704997)
Hi all
how i can automatic denyy ip when some one do ssh bruteforce ....

Depending on your distro...

But on Red Hat systems (RHEL/CentOS/Fedora) you can edit the /etc/hosts.allow and the /etc/hosts.deny files

-C

maail 06-22-2012 10:24 AM

my distro fedora 12, can you try thiss script work or not in system because i do with this script not work in fedora 12.....
can you help me .....

custangro 06-22-2012 11:07 AM

Fedora 12 is an old distro. I would recommend upgrading to Fedora 17

Once you have that you can follow this example:

Let's say you want to deny the 192.168.2.54 address but allow all others

/etc/hosts.deny
Code:

sshd:        192.168.2.54
/etc/hosts.allow
Code:

sshd:        ALL
-C

maail 06-22-2012 11:46 AM

but i want to aoutomatic deny ip when someone attack my server with ssh bruteforce ....

custangro 06-22-2012 12:03 PM

Without writing the script for you

Something like

Code:

if ! grep ${ipaddr} /etc/hosts.deny ; then
  cp /etc/hosts.deny /etc/,hosts.deny.bk
  sed -e 's/sshd\:    /sshd:  ${ipaddr},/g' /etc/hosts.deny > /tmp/,hosts.deny
  cat /tmp/,hosts.deny > /etc/hosts.deny
  rm /tmp/,hosts.deny
fi

I'm sure you can fit that in with what you've already written....the white space in the sed statement is a TAB.

-C

montel 06-22-2012 12:06 PM

Quote:

Originally Posted by maail (Post 4709435)
but i want to aoutomatic deny ip when someone attack my server with ssh bruteforce ....

Like someone else said before. Use fail2ban. That should serve your purpose. It will ban an IP after a specified number of attempts, and lock them out for a specified time.

maail 06-22-2012 09:57 PM

Quote:

Originally Posted by montel (Post 4709450)
Like someone else said before. Use fail2ban. That should serve your purpose. It will ban an IP after a specified number of attempts, and lock them out for a specified time.

are u sure fail2ban can deny ip automatic ....
can you explain step by step how to configuration fail2ban, because i not understand how to use fail2ban ....
sory my english bad, i from indonesia help me please !

montel 06-24-2012 01:29 AM

Yeah, I have set fail2ban up on a few servers, it is very easy to install/administer.

I haven't used fedora much, so if im wrong with anything just let me know.

Code:

yum install fail2ban
Once it is finished installing, go into the /etc/fail2ban/jail.conf and configure with what you would like.

You can change the maxretry (the amount of times someone can try to login) and the bantime (how long the IP will be banned for).

There are lots of other settings in there too that you can tweak to fit what you want to do.

This may be helpful for you: http://www.howtoforge.com/preventing...ban-on-fedora9

maail 06-24-2012 01:51 AM

Quote:

Originally Posted by montel (Post 4710416)
Yeah, I have set fail2ban up on a few servers, it is very easy to install/administer.

I haven't used fedora much, so if im wrong with anything just let me know.

Code:

yum install fail2ban
Once it is finished installing, go into the /etc/fail2ban/jail.conf and configure with what you would like.

You can change the maxretry (the amount of times someone can try to login) and the bantime (how long the IP will be banned for).

There are lots of other settings in there too that you can tweak to fit what you want to do.

This may be helpful for you: http://www.howtoforge.com/preventing...ban-on-fedora9

thank you friend ....

montel 06-24-2012 01:52 AM

No problem. Good Luck :)


All times are GMT -5. The time now is 06:46 PM.