Automatically Blocking the hackers ip who access the server via ssh with wrong password
using IPtables
Dependencies
1.Iptables
2.postfix/sendmail ( for email alert)
step 1
1.login to your server via ssh
2. go to cd /usr/src/
3. vi scan-secure.sh
4. copy and paste the below script there
5. type chmod 755 /usr/src/scan-secure.sh
6. make entry in the cron to run in every one or two minutes
crontab -e
* * * * * /usr/src/scan-secure.sh
7. now start the iptables
/etc/init.d/iptables restart
to check for the blocked hackers ip
type iptables -L -n
using IPtables
Dependencies
1.Iptables
2.postfix/sendmail ( for email alert)
step 1
1.login to your server via ssh
2. go to cd /usr/src/
3. vi scan-secure.sh
4. copy and paste the below script there
#!/bin/sh
# scan /var/log/secure for ssh attempts
# use iptables to block the bad guys
# Looking for attempts on existing and non-existing users. For example:
# Nov 2 22:44:07 pbxer sshd[28318]: Failed password for root from 74.143.42.70 port 52416 ssh2
# Nov 3 00:06:57 pbxer sshd[31767]: Failed password for invalid user mat3 from 192.203.145.200 port 35841 ssh2
tail -1000 /var/log/secure | awk '/sshd/ && /Failed password for/ { if (/invalid user/) try[$13]++; else try[$11]++; }
END { for (h in try) if (try[h] > 4) print h; }' |
while read ip
do
# note: check if IP is already blocked...
/sbin/iptables -L -n | grep $ip > /dev/null
if [ $? -eq 0 ] ; then
# echo "already denied ip: [$ip]" ;
true
else
echo "Subject: denying ip: $ip" | /usr/sbin/sendmail urmailid@gmail.com
logger -p authpriv.notice "*** Blocking SSH attempt from: $ip"
/sbin/iptables -I INPUT -s $ip -j DROP
fi
done
5. type chmod 755 /usr/src/scan-secure.sh
6. make entry in the cron to run in every one or two minutes
crontab -e
* * * * * /usr/src/scan-secure.sh
7. now start the iptables
/etc/init.d/iptables restart
to check for the blocked hackers ip
type iptables -L -n
how to allow the ip address for another network
ReplyDelete