Is it possible to automate a firewall rule based on multiple SSH denies?

Posted on 2006-06-03
Medium Priority
Last Modified: 2010-04-22
Can some one please help me come up with an automated solution to a problem in whic every week my server is being hit by numerous/different SSH attacks?  I would like to automate a process by which I can take this IP addresssed attack add it to my firewall "deny_hosts" file and restart apache.  I do know that these attacks are truely those of hackers at all times. I would like to simply take failed attempt SSH from a single IP over a varying username and list the used IP addresss by which this attempt is coming from and add to the deny_hosts.rules file for our firewall.  Please anyone, do you have a solution for me, hope that I explained myself thouroughly...

Question by:adanker
LVL 51

Expert Comment

ID: 16824396
> .. SSH attacks?  .. add it to my firewall "deny_hosts" file .. restart apache.
hmm, what has your apache to do with SSH or your firewall?

Anyway, I'd write a simple script which extracts the failed ssh attacks from /var/log/messages (or whatever you configured for your log files) and extract the IP from that mesaage and add it to your deny_hosts.
Don't forget to cleanup this deny_hosts file periodiclaly, or you end up in a list of all valid IPS ;-)

Expert Comment

ID: 16828160
Relying on tcp wrappers as an adequate security solution is only setting yourself up for failure.  You should really look into setting up a firewall that only allows inbound ssh (and any other public facing services that you can lock down without problems) to IPs that you want to explicitly allow.  
LVL 18

Expert Comment

ID: 16829156
I would consider using a tool like portsentry to watch for portscans and then blackhole the malfeasors for a period of time.

here are some instructions for setting it up:


From the [PortSentry introduction]:

A port scan is a symptom of a larger problem coming your way. It is often the pre-cursor for an attack and is a critical piece of information for properly defending your information resources. PortSentry is a program designed to detect and respond to port scans against a target host in real-time and has a number of options to detect port scans. When it finds one it can react in the following ways:

A log indicating the incident is made via syslog().
The target host is automatically dropped into /etc/hosts.deny for TCP Wrappers.
The local host is automatically re-configured to route all traffic to the target to a dead host to make the target system disappear.
The local host is automatically re-configured to drop all packets from the target via a local packet filter.
The purpose of this is to give an admin a heads up that their host is being probed.

I would also add a cron job to drop the blackholed IPs after 24 hours, once they start failing they typically move on and 24 hours seems to be fine.


What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

LVL 11

Expert Comment

ID: 16872883
You can also utilize something like SEC to watch syslog and or static files and then take actions based on thresholds.

Ie Threshold #1  10 failures in  15 minutes run script xyz.sh
Threshold #2  Wait  x hrs and then remove the hosts from iptables etc.


#update TCP Wrappers
echo $1 >> /etc/hosts.deny
#Add Rule to Iptables to drop traffic
iptables -A INPUT -p TCP --dport 22 -s $1 -j DROP

LVL 25

Accepted Solution

Cyclops3590 earned 375 total points
ID: 16906940
I know it isn't what you are looking for, but what I found to be the easiest fix for this was to change the port the sshd daemon listens on.  Change it to something like 1234.  (make sure to open that port on the firewall of course).  Since its a very uncommon port for a daemon to use, no one really scans for it.  I know when I changed my port, it took the number of ssh hack attempts from 100s and sometimes 1000s in a day to 0.  Haven't even had one since I changed it; been over a year.  Figure its a good and easy workaround anyway.

Author Comment

ID: 16963901
Anyone want to offer their management services for my dedicated server I purchased?  Please contact me.  I am not in anyway qualified to handle the needs of this server in terms of the DNS, log file cleanup, security security security.  I have no idea if someone might already be running some script from my server... help.


Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question