How to automatically block SSH brute force attack

Topic: SSH Brute force protection

    If your linux server is under ssh brute force attack and want to block those hackers IP automatically, then this article is for you.

    In this article i have provided a simple bash script which will scan the last 1000 lines of sshd logs for failed attempts, then copies the IP address for more than 4 failed login attempts and using the IPTABLES the malicious IP's  will be blocked.

SSH brute force attack

SSH - Brute Force attack?

    SSH stands for “Secure Shell”. It is a protocol used to securely connect to a remote server/system. ssh is secure in the sense that it transfers the data in encrypted form between the host and the client

Brute Force

    A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations, until they find the correct login information.

Overview: SSH Brute Force Attack Protection

    In this Article i have provided a Bash script, which will scan last 1000 lines of the SSH error logs, if any failed attempts detected in the logs the IP address of the 3 consecutives failed attempts will be filtered and blocked using the IPTABLES.
    The script also has the option to email the IP address which is blocked.


Make sure you have installed 
Sendmail or Postfix

Steps to be followed

Follow the below steps to create a bash script file and schedule the file to run on background every minute to block the attackers IP.

Step 1: Bash script file

Create a bash script file in /usr/src folder named as 
cd /usr/src/
Copy paste the below script in the file.


# scan /var/log/secure for ssh attempts
# use iptables to block the bad guys

# Looking for attempts on existing and non-existing users. For example:
# Nov 2 22:44:07 pbxer sshd[28318]: Failed password for root from port 52416 ssh2
# Nov 3 00:06:57 pbxer sshd[31767]: Failed password for invalid user mat3 from port 35841 ssh2

tail -1000 /var/log/secure | awk '/sshd/ && /Failed password for/ { if (/invalid user/) try[$13]++; else try[$11]++; }
END { for (h in try) if (try[h] > 4) print h; }' |
while read ip
# note: check if IP is already blocked...
/sbin/iptables -L -n | grep $ip > /dev/null
if [ $? -eq 0 ] ; then
# echo "already denied ip: [$ip]" ;
echo "Subject: denying ip: $ip" | /usr/sbin/sendmail
logger -p authpriv.notice "*** Blocking SSH attempt from: $ip"
/sbin/iptables -I INPUT -s $ip -j DROP

Provide the executable permission to the file using chmod command
chmod 755

Step 2: Running the script

    Either you run the script manually type to scan the ssh log and block the IP address or attackers or you can schedule the script run every minute using cronjob.

to run manually type


To schedule in cronjob follow the below steps

open the crontab file by by below command

crontab -e

At the last line of the file enter the below line to run the script every minute

 * * * * * /usr/src/

@reboot /usr/src/

IPTables command to check the blocked ip
Run the below IPtables command to check the IP's which blocked by the script.

iptables -L -n


    The provided script will check the default ssh log file - /var/log/secure, if your ssh log file is different change the same in the bash script.

    Vicidial or asterisk servers are common target of ssh brute force attacks, use the script provided here for SSHD brute force protection 

  • Unknown
    Unknown November 14, 2020 at 11:13 AM

    hey striker..i am big fan..learned from ur videos a lot.. i am facing the same problem in my server which is in cloud and my sip is getting drained..i cant use this code and paste in on ssh can u do a video tutorial for it pls

  • Titan Mostafa
    Titan Mostafa May 26, 2021 at 10:10 PM

    thnx a lot.

Add Comment
comment url