SSHBlack is a must have utility for open servers in the public network(internet). Download the latest versions from the website. The installation steps are as follows:
$ tar -zxf sshblackv281.tar.gz $ mv sshblack /usr/local/sshblack $ cd /usr/local/sshblack # provide excutable permission for the script $ chmod 755 sshblack.pl # Create a new chain BLACKLIST $ iptables -N BLACKLIST
Next we need to update the
sshblack.pl. Open your favourite editor and update the variables
# this will run the process in the background my($DAEMONIZE) = '1'; # The INPUT log file you want to monitor; If Ubuntu OS its '/var/log/auth.log'; if its RedHat based OS '/var/log/secure'; my($LOG) = '/var/log/auth.log'; # Update your static IP which should never be blacklisted, displayed as WWW.XXX.YYY.ZZZ; my($LOCALNET) = '^(?:127\.0\.0\.1|WWW\.XXX\.YYY\.ZZZ)';
Save the file.
./sshblack.pl will start the script as a background process. The
/var/log/sshblacklisting file will log the IP information of clients accessing/attacking the server.
Once the server is attacked more than 5 times(default value of variable $MAXHITS), a block rule is added to iptables with the IP information. This prevents new connections to the server from the attacker, in turn preventing the server from brute force attempts. A sample of IP’s which is blacklisted in my server using the script is listed below:
$ iptables -L Chain BLACKLIST (1 references) target prot opt source destination DROP all -- 184.108.40.206 anywhere DROP all -- 220.127.116.11 anywhere DROP all -- 18.104.22.168 anywhere DROP all -- 22.214.171.124 anywhere DROP all -- 126.96.36.199 anywhere DROP all -- 188.8.131.52 anywhere
If you clear the iptables, make sure to clear the text database which keeps track of the attacked IP address.
echo '' > /var/tmp/ssh-blacklist-pending