How to Block IP addresses that show up in /var/log/auth.log after so many attempts?

Posted on 2007-08-08
Last Modified: 2010-04-22
Like most auth.log we have multiple failed attempts from various IP, usually trying to login as root. Is there any way to block a specific IP once it attempts to authenticate and fails more than three times?
Question by:douggoss
    LVL 16

    Accepted Solution

    It is possible to do, but it is simpler to limit login attempts from one IP in a timeframe:
    iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
    iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

    lines copied from:
    LVL 19

    Assisted Solution

    What you need is is an intrusion detection system for can setup the scenario asked for and other different scenarios through it.
    LVL 16

    Assisted Solution

    One method for locking IPs exceding login attempts is described in

    Also, if possible, you should limit from which IPs you can connect to the server via port 22.
    LVL 32

    Expert Comment

    Wouldn't it be a good thing to leave it as it is now ? This is the record you have for future hack problems.

    LVL 30

    Expert Comment

    by:Kerem ERSOY

    I have some suggestions for you:
    - First of all I'd suggest you to change your SSH port to a non-standard, if possible  greater then 1024  port. Becasue most of these attacks come from pepople having a scanner scanning well known ports.
    - Then you might block password as authentication method and use certifiate authentication instead.

    rsivanandan: using a live production system as a honey-pot :) Thanks but no thanks :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video discusses moving either the default database or any database to a new volume.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now