Is it possible to automate a firewall rule based on multiple SSH denies?

Posted on 2006-06-03
Last Modified: 2010-04-22
Can some one please help me come up with an automated solution to a problem in whic every week my server is being hit by numerous/different SSH attacks?  I would like to automate a process by which I can take this IP addresssed attack add it to my firewall "deny_hosts" file and restart apache.  I do know that these attacks are truely those of hackers at all times. I would like to simply take failed attempt SSH from a single IP over a varying username and list the used IP addresss by which this attempt is coming from and add to the deny_hosts.rules file for our firewall.  Please anyone, do you have a solution for me, hope that I explained myself thouroughly...

Question by:adanker
    LVL 51

    Expert Comment

    > .. SSH attacks?  .. add it to my firewall "deny_hosts" file .. restart apache.
    hmm, what has your apache to do with SSH or your firewall?

    Anyway, I'd write a simple script which extracts the failed ssh attacks from /var/log/messages (or whatever you configured for your log files) and extract the IP from that mesaage and add it to your deny_hosts.
    Don't forget to cleanup this deny_hosts file periodiclaly, or you end up in a list of all valid IPS ;-)
    LVL 5

    Expert Comment

    Relying on tcp wrappers as an adequate security solution is only setting yourself up for failure.  You should really look into setting up a firewall that only allows inbound ssh (and any other public facing services that you can lock down without problems) to IPs that you want to explicitly allow.  
    LVL 18

    Expert Comment

    I would consider using a tool like portsentry to watch for portscans and then blackhole the malfeasors for a period of time.

    here are some instructions for setting it up:

    From the [PortSentry introduction]:

    A port scan is a symptom of a larger problem coming your way. It is often the pre-cursor for an attack and is a critical piece of information for properly defending your information resources. PortSentry is a program designed to detect and respond to port scans against a target host in real-time and has a number of options to detect port scans. When it finds one it can react in the following ways:

    A log indicating the incident is made via syslog().
    The target host is automatically dropped into /etc/hosts.deny for TCP Wrappers.
    The local host is automatically re-configured to route all traffic to the target to a dead host to make the target system disappear.
    The local host is automatically re-configured to drop all packets from the target via a local packet filter.
    The purpose of this is to give an admin a heads up that their host is being probed.

    I would also add a cron job to drop the blackholed IPs after 24 hours, once they start failing they typically move on and 24 hours seems to be fine.


    LVL 11

    Expert Comment

    You can also utilize something like SEC to watch syslog and or static files and then take actions based on thresholds.

    Ie Threshold #1  10 failures in  15 minutes run script
    Threshold #2  Wait  x hrs and then remove the hosts from iptables etc.

    #update TCP Wrappers
    echo $1 >> /etc/hosts.deny
    #Add Rule to Iptables to drop traffic
    iptables -A INPUT -p TCP --dport 22 -s $1 -j DROP

    LVL 25

    Accepted Solution

    I know it isn't what you are looking for, but what I found to be the easiest fix for this was to change the port the sshd daemon listens on.  Change it to something like 1234.  (make sure to open that port on the firewall of course).  Since its a very uncommon port for a daemon to use, no one really scans for it.  I know when I changed my port, it took the number of ssh hack attempts from 100s and sometimes 1000s in a day to 0.  Haven't even had one since I changed it; been over a year.  Figure its a good and easy workaround anyway.

    Author Comment

    Anyone want to offer their management services for my dedicated server I purchased?  Please contact me.  I am not in anyway qualified to handle the needs of this server in terms of the DNS, log file cleanup, security security security.  I have no idea if someone might already be running some script from my server... help.


    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    ​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now