LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-16-2012, 01:33 PM   #1
maail
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Rep: Reputation: Disabled
ssh bruteforce


Hi all
how i can automatic denyy ip when some one do ssh bruteforce ....
 
Old 06-16-2012, 01:42 PM   #2
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,448

Rep: Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359Reputation: 1359
Welcome to LQ!

There is a sticky post in the LQ Security forum that talks about this issue. There is a link in the last post of that thread that is extremely comprehensive. http://www.linuxquestions.org/questi...ml#post2027930

Look at Fail2Ban as it should serve your needs.
 
2 members found this post helpful.
Old 06-22-2012, 11:04 AM   #3
maail
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
but i have script deny ssh bruteforce check it out
#!/bin/bash
#This script will monitor for failed login attempts and after a specified number of times add the ip to a deny list
#Chad
LOGFILE=”/var/log/secure”
HOSTSDENY=”/etc/hosts.deny”
BADCOUNT=”5"
# read logfile and look for invalid login attemps
grep sshd $LOGFILE |grep “Invalid user”| awk ‘{print $NF}’|sort|uniq -c|sort -n|sed “s/[[:space:]]*//” | while
read i
do
# read number of failed attempts
count=`echo $i | cut -d” ” -f1`
# read ip address from failed attempt
ip=`echo $i | cut -d” ” -f2`
#check hostdeny file to see if IP already exist
already=`grep $ip $HOSTSDENY | grep sshd`
#if IP does not exist add it to hostdeny file
if [ -z "$already" ]
then
if [ "$count" -ge "$BADCOUNT" ]
then
echo “sshd: “$ip >> $HOSTSDENY
fi
fi
done


so how about this script .....
 
Old 06-22-2012, 11:17 AM   #4
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,971
Blog Entries: 1

Rep: Reputation: 208Reputation: 208Reputation: 208
Quote:
Originally Posted by maail View Post
Hi all
how i can automatic denyy ip when some one do ssh bruteforce ....
Depending on your distro...

But on Red Hat systems (RHEL/CentOS/Fedora) you can edit the /etc/hosts.allow and the /etc/hosts.deny files

-C
 
Old 06-22-2012, 11:24 AM   #5
maail
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
my distro fedora 12, can you try thiss script work or not in system because i do with this script not work in fedora 12.....
can you help me .....
 
Old 06-22-2012, 12:07 PM   #6
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,971
Blog Entries: 1

Rep: Reputation: 208Reputation: 208Reputation: 208
Fedora 12 is an old distro. I would recommend upgrading to Fedora 17

Once you have that you can follow this example:

Let's say you want to deny the 192.168.2.54 address but allow all others

/etc/hosts.deny
Code:
sshd:	192.168.2.54
/etc/hosts.allow
Code:
sshd:	ALL
-C
 
Old 06-22-2012, 12:46 PM   #7
maail
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
but i want to aoutomatic deny ip when someone attack my server with ssh bruteforce ....
 
Old 06-22-2012, 01:03 PM   #8
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,971
Blog Entries: 1

Rep: Reputation: 208Reputation: 208Reputation: 208
Without writing the script for you

Something like

Code:
if ! grep ${ipaddr} /etc/hosts.deny ; then
  cp /etc/hosts.deny /etc/,hosts.deny.bk
  sed -e 's/sshd\:     /sshd:  ${ipaddr},/g' /etc/hosts.deny > /tmp/,hosts.deny
  cat /tmp/,hosts.deny > /etc/hosts.deny
  rm /tmp/,hosts.deny
fi
I'm sure you can fit that in with what you've already written....the white space in the sed statement is a TAB.

-C
 
Old 06-22-2012, 01:06 PM   #9
montel
Member
 
Registered: Jun 2012
Location: Canada
Distribution: Ubuntu/Debian/CentOS
Posts: 45

Rep: Reputation: 18
Quote:
Originally Posted by maail View Post
but i want to aoutomatic deny ip when someone attack my server with ssh bruteforce ....
Like someone else said before. Use fail2ban. That should serve your purpose. It will ban an IP after a specified number of attempts, and lock them out for a specified time.

Last edited by montel; 06-22-2012 at 01:06 PM. Reason: spelling
 
Old 06-22-2012, 10:57 PM   #10
maail
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by montel View Post
Like someone else said before. Use fail2ban. That should serve your purpose. It will ban an IP after a specified number of attempts, and lock them out for a specified time.
are u sure fail2ban can deny ip automatic ....
can you explain step by step how to configuration fail2ban, because i not understand how to use fail2ban ....
sory my english bad, i from indonesia help me please !
 
Old 06-24-2012, 02:29 AM   #11
montel
Member
 
Registered: Jun 2012
Location: Canada
Distribution: Ubuntu/Debian/CentOS
Posts: 45

Rep: Reputation: 18
Yeah, I have set fail2ban up on a few servers, it is very easy to install/administer.

I haven't used fedora much, so if im wrong with anything just let me know.

Code:
yum install fail2ban
Once it is finished installing, go into the /etc/fail2ban/jail.conf and configure with what you would like.

You can change the maxretry (the amount of times someone can try to login) and the bantime (how long the IP will be banned for).

There are lots of other settings in there too that you can tweak to fit what you want to do.

This may be helpful for you: http://www.howtoforge.com/preventing...ban-on-fedora9

Last edited by montel; 06-24-2012 at 02:30 AM.
 
Old 06-24-2012, 02:51 AM   #12
maail
LQ Newbie
 
Registered: Apr 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by montel View Post
Yeah, I have set fail2ban up on a few servers, it is very easy to install/administer.

I haven't used fedora much, so if im wrong with anything just let me know.

Code:
yum install fail2ban
Once it is finished installing, go into the /etc/fail2ban/jail.conf and configure with what you would like.

You can change the maxretry (the amount of times someone can try to login) and the bantime (how long the IP will be banned for).

There are lots of other settings in there too that you can tweak to fit what you want to do.

This may be helpful for you: http://www.howtoforge.com/preventing...ban-on-fedora9
thank you friend ....
 
Old 06-24-2012, 02:52 AM   #13
montel
Member
 
Registered: Jun 2012
Location: Canada
Distribution: Ubuntu/Debian/CentOS
Posts: 45

Rep: Reputation: 18
No problem. Good Luck
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is IPtables not working??BruteForce on 80 aq_mishu Linux - Security 35 02-21-2009 02:43 PM
Compromised by SSH bruteforce MBH Linux - Security 3 09-16-2005 11:10 PM
Successful bruteforce attack? nixinbarrie Linux - Security 3 05-07-2005 03:07 PM
ssh bruteforce DoS branden_burger Linux - Security 10 03-29-2005 03:53 AM
bruteforce nautilus_1987 Linux - Software 6 09-02-2002 12:37 PM


All times are GMT -5. The time now is 06:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration