Hi,

there’s more then one way to mitigate brute force attack against ssh. Obviously the easiest solution is to block all tcp incoming connections to port 22 with iptables, and accept connections only from your static IP address. But is not always possible.

I usually change the default ssh port (22 tcp) to another (for example 1122 tcp). This can mitigate all automatic brute force attacks by botnet, but is not enough. A user can discover the new sshd port by a simple port scan.

For this kind of issue, you need to block dinamically each IP that fails authentication to the sshd. For doing that, i’ve created a bash script that can automatically drop a brute force attack with iptables (log2iptables). You can find it here: https://github.com/theMiddleBlue/log2iptables.

A little example:

Download the script

cd /usr/local/bin
git clone https://github.com/theMiddleBlue/log2iptables.git

Run log2iptables

cd /usr/local/bin/log2iptables
./log2iptables.sh -f /var/log/auth.log -x 1 -r 'sshd.*Failed.password.*from.([0-9\.]+)' -p 1 -l 5

this will insert a iptables rule that drop all IPs that fail password more than 5 times. You can test it, without insert any rules, removing the -x 1 parameter. You can insert it in crontab and check your auth.log every n time, and receive a notify each time it add a new iptables rule.

hope this help :)
bye!

Thanks a million! I’ve just checked after a while and the situation is the same, so yours is great solution, very helpful and thanks a lot again for your time!

i’m glad that it can be useful!
let me know if you have suggestions ;)

bye!

theMiddle would you mind helping me out with this? I seem to be having some trouble

Wow great solution!

Added 65 IPs to the tables. Haven’t seen a failed auth since.