Hello, I'm trying to figure how I can block ssh brute force attacks to my server (FreeBSD 9.0 amd64), so I try two methods, the first was to adapt my Linux script and block it using cron
but it only works if I run it manually, even running it every minute with cron it does'nt nothing :S
The second I try is sshguard-pf, but again it doesn't work.
I uncomment the line:
from /etc/syslog.conf, but still I have logs from brute force attacks
Code:
#!/usr/bin/env bash
# Este script monitorea los intentos fallidos de ingreso al sistema con ssh, al 3ro agrega la ip al archivo /etc/hosts.allow con opcion deny
LOGFILE="/var/log/auth.log"
HOSTSDENY="/etc/hosts.allow"
BADCOUNT="3"
# busco los intentos fallidos en el log
grep sshd $LOGFILE |grep "Invalid user"| awk '{print $NF}'|sort|uniq -c|sort -n|sed "s/[[:space:]]*//" | while read i
do
# los cuento
count=`echo $i | cut -d" " -f1`
# leo la IP
ip=`echo $i | cut -d" " -f2`
# verifico que no exista en hosts.allow
already=`grep $ip $HOSTSDENY | grep ALL`
# si la IP no existe la agrego
if [ -z "$already" ]
then
if [ "$count" -ge "$BADCOUNT" ]
then
echo "ALL : "$ip" : deny" >> $HOSTSDENY
echo "$ip agregada a $HOSTSDENY" | mail -s "sshlock report" root
fi
fi
done
but it only works if I run it manually, even running it every minute with cron it does'nt nothing :S
The second I try is sshguard-pf, but again it doesn't work.
I uncomment the line:
Code:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard -a 3 -p 9200 -s 12000