SSH Brute Force Attacks

Greg shares a version of his script to help in fighting brute force attacks. He has some great ideas and one day, if time permits, I will try to work on it :).

#!/bin/bash
cat messages|grep -i sshd|grep -i "authentication failure"|awk '{print
$13}'|cut -d'=' -f2 |sort|
uniq -c >> brute.list
INFILE="/var/log/brute.list"
exec < $INFILE

while read COUNT IPADDR
do
#echo count=$COUNT ipaddr=$IPADDR
if [ $COUNT -gt 5 ]
then
iptables -s $IPADDR -N RH-Firewall-1-INPUT -p tcp -j
DROP
echo $IPADDR should be blocked
#echo $IPADDR has been blocked | mail -s "Blocked IP's"
gregoryd at isc.upenn.edu
iptables-save
fi
done

Hi,
I am sure many of you are also getting the SSH brute force attacks. I
have been working on a little script that looks at the /var messages
for failed log in attempts and if over a certain threshold block them.
It seems to work pretty good so far except it puts multiple block in
for IP's that are already there. This is what I have right now:
...
I want to build more logic into it that would compare to files and if
it is in the one file of the blocked ip list do nothing, BUT if it isnt
in the blocked ip list block it, add it to the list and resort it.

Any body have any ideas how to do that?


ThanX,

Greg

Brute Force