Hi. I am hoping someone can write a how to for this or point me in the right direction.

My boss wants me to setup something with SSHD so that when someone tries to login 5 times and fails, it blocks their IP.

I would like to do this without multiple patches or addons.. I will have to do this to 6 servers with diff Linux distros.

Have a look at the package 'denyhosts'. It's available for various systems/distributions as a standard package.

http://denyhosts.sourceforge.net/

I use fail2ban for that, it's a simple python script that takes care of that for you. Although if it's not available for all distros you have, the deny hosts idea would be great

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DROP


Something like this should drop connections if they've made 4 unsuccessful attempts in the last 60 seconds...

I get following error:
root@server:~# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
iptables v1.3.8: Couldn't load match `sshbrute':/lib/iptables/libipt_sshbrute.so: cannot open shared object file: No such file or directory
Dipesh

I recommend Denyhosts and Fail2Ban.You should pick only one.
Check if it will not interfere with any other software You are using.
For DenyHosts Your sshd should be compiled with tcpwrappers support (most are;also binary versions). It is an application level lock while Fail2Ban uses IPTables (also present in most distributions) which can lock out an ip address on a network level. It looks like both could be used at once but I only use DenyHosts. Seems to do the job well. Be sure to set ips that will never get banned to avoid locking out Yourself.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DROP


Something like this should drop connections if they've made 4 unsuccessful attempts in the last 60 seconds...

:D

I appreciate the answer id10t. Unfortunately I get the same error as dipeshmehta.
I will have to look at this more to figure out the best way to do this. Now that I have a way to go I can atleast research it.

thanks

Leszek, I would love to try one of those, but the boss doesnt want to go that route.

Found that by googling for a iptables primer... sorry it doesn't work as advertised. But as you said, it may give you a good starting point.

:D
Leszek, I would love to try one of those, but the boss doesnt want to go that route.
I know what You mean. Same here (sometimes) ;)

btw this is a cool command to get the intruders IPs from /var/log/auth.log
then put them in the /etc/hosts.deny file;
I made a script out of it by chmod and run it;


I had problem with this line but I leave it for those who know what they are doing lol; #grep 'Failed password' /var/log/auth.log|cut -d ']' --fields=2|cut -d ' ' --fields=9|uniq -c|sort -nr > ct-result.txt

this 1 works for me, well sort of cuz it is hard to tell which column the IP address is registered in? 13? or 14? or??

grep 'from' /var/log/auth.log|cut -d ' ' --field=13|uniq -c|sort -nr > ct-result.txt

then I give it 2 second to write the results in a text file
sleep 2
cat ct-result.txt |more

I copy all the intruders IPs and paste them into /etc/hosts.deny file.

the following is a note to myself;
#To get a line number use sed like if you want line 40 of a file called file-1 do:
# sed '40q;d' file-1
#or use awk 'NR==40 {print;exit}' file-1

IF Anyone can make it better please post it here.

thanks!

For abusive login detection, there's a standard tool called 'denyhosts', installable directly from most repositories.