How to automatically block SSH brute force attack

Bash script to block SSH attackers IP address automatically

Topic: How to automatically block SSH brute force attack
SSH-bruteforce-block

  Introduction: SSH and Brute Force attack

    SSH stands for “Secure Shell”. It is a protocol used to securely connect to a remote server/system. ssh is secure in the sense that it transfers the data in encrypted form between the host and the client

Brute Force

    A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations, until they find the correct login information.

  Overview: SSH Brute Force Attack Protection

    In this Article i have provided a Bash script, which will scan last 1000 lines of the SSH error logs, if any failed attempts detected in the logs the IP address of the 3 consecutives failed attempts will be filtered and blocked using the IPTABLES.
    The script also has the option to email the IP address which is blocked.

  Pre-requisites: 

Make sure you have installed 
IPTables 
Sendmail or Postfix

  Steps to be followed

Follow the below steps to create a bash script file and schedule the file to run on background every minute to block the attackers IP.

  Step 1: Bash script file

Create a bash script file in /usr/src folder named as sshscan.sh 
cd /usr/src/
vi sshscan.sh
Copy paste the below script in the sshscan.sh file.

#!/bin/sh

# scan /var/log/secure for ssh attempts
# use iptables to block the bad guys

# Looking for attempts on existing and non-existing users. For example:
# Nov 2 22:44:07 pbxer sshd[28318]: Failed password for root from 74.143.42.70 port 52416 ssh2
# Nov 3 00:06:57 pbxer sshd[31767]: Failed password for invalid user mat3 from 192.203.145.200 port 35841 ssh2

tail -1000 /var/log/secure | awk '/sshd/ && /Failed password for/ { if (/invalid user/) try[$13]++; else try[$11]++; }
END { for (h in try) if (try[h] > 4) print h; }' |
while read ip
do
# note: check if IP is already blocked...
/sbin/iptables -L -n | grep $ip > /dev/null
if [ $? -eq 0 ] ; then
# echo "already denied ip: [$ip]" ;
true
else
echo "Subject: denying ip: $ip" | /usr/sbin/sendmail urmailid@gmail.com
logger -p authpriv.notice "*** Blocking SSH attempt from: $ip"
/sbin/iptables -I INPUT -s $ip -j DROP
fi
done

Provide the executable permission to the file using chmod command
chmod 755 sshscan.sh

  Step 2: Running the sshscan.sh script

    Either you run the sshscan.sh script manually type to scan the ssh log and block the IP address or attackers or you can schedule the script run every minute using cronjob.

to run manually type

/usr/src/sshscan.sh

To schedule in cronjob follow the below steps

open the crontab file by by below command

crontab -e

At the last line of the file enter the below line to run the script every minute

 * * * * * /usr/src/sshscan.sh

@reboot /usr/src/sshscan.sh

IPTables command to check the blocked ip
Run the below IPtables command to check the IP's which blocked by the script.

iptables -L -n

  Conclusion:

    The provided script will check the default ssh log file - /var/log/secure, if your ssh log file is different change the same in the bash script. 

Next Post Previous Post
2 Comments
  • Unknown
    Unknown November 14, 2020 at 11:13 AM

    hey striker..i am big fan..learned from ur videos a lot.. i am facing the same problem in my server which is in cloud and my sip is getting drained..i cant use this code and paste in on ssh can u do a video tutorial for it pls

  • Titan Mostafa
    Titan Mostafa May 26, 2021 at 10:10 PM

    thnx a lot.

Add Comment
comment url