How to automatically block SSH brute force attack

Topic: SSH Brute force protection

    If your linux server is under ssh brute force attack and want to block those hackers IP automatically, then this article is for you.

    In this article i have provided a simple bash script which will scan the last 1000 lines of sshd logs for failed attempts, then copies the IP address for more than 4 failed login attempts and using the IPTABLES the malicious IP's  will be blocked.

SSH - Brute Force attack?

    SSH stands for “Secure Shell”. It is a protocol used to securely connect to a remote server/system. ssh is secure in the sense that it transfers the data in encrypted form between the host and the client

Brute Force

    A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizations’ systems and networks. The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations, until they find the correct login information.

Overview: SSH Brute Force Attack Protection

    In this Article i have provided a Bash script, which will scan last 1000 lines of the SSH error logs, if any failed attempts detected in the logs the IP address of the 3 consecutives failed attempts will be filtered and blocked using the IPTABLES.
    The script also has the option to email the IP address which is blocked.

Pre-requisites: 

Make sure you have installed 

IPTables 

Sendmail or Postfix

Steps to be followed

Follow the below steps to create a bash script file and schedule the file to run on background every minute to block the attackers IP.

Step 1: Bash script file

Create a bash script file in /usr/src folder named as sshscan.sh 

cd /usr/src/

vi sshscan.sh

Copy paste the below script in the sshscan.sh file.

#!/bin/sh

# scan /var/log/secure for ssh attempts

# use iptables to block the bad guys

# Looking for attempts on existing and non-existing users. For example:

# Nov 2 22:44:07 pbxer sshd[28318]: Failed password for root from 74.143.42.70 port 52416 ssh2

# Nov 3 00:06:57 pbxer sshd[31767]: Failed password for invalid user mat3 from 192.203.145.200 port 35841 ssh2

tail -1000 /var/log/secure | awk '/sshd/ && /Failed password for/ { if (/invalid user/) try[$13]++; else try[$11]++; }

END { for (h in try) if (try[h] > 4) print h; }' |

while read ip

do

# note: check if IP is already blocked...

/sbin/iptables -L -n | grep $ip > /dev/null

if [ $? -eq 0 ] ; then

# echo "already denied ip: [$ip]" ;

true

else

echo "Subject: denying ip: $ip" | /usr/sbin/sendmail urmailid@gmail.com

logger -p authpriv.notice "*** Blocking SSH attempt from: $ip"

/sbin/iptables -I INPUT -s $ip -j DROP

fi

done

Provide the executable permission to the file using chmod command

chmod 755 sshscan.sh

Step 2: Running the sshscan.sh script

    Either you run the sshscan.sh script manually type to scan the ssh log and block the IP address or attackers or you can schedule the script run every minute using cronjob.

to run manually type

/usr/src/sshscan.sh

To schedule in cronjob follow the below steps

open the crontab file by by below command

crontab -e

At the last line of the file enter the below line to run the script every minute

 * * * * * /usr/src/sshscan.sh

@reboot /usr/src/sshscan.sh

IPTables command to check the blocked ip
Run the below IPtables command to check the IP's which blocked by the script.

iptables -L -n

Conclusion:

    The provided script will check the default ssh log file - /var/log/secure, if your ssh log file is different change the same in the bash script.

    Vicidial or asterisk servers are common target of ssh brute force attacks, use the script provided here for SSHD brute force protection