Atualize o hosts.deny para bloquear tentativas de brute force

2 Sep

Here I show a sinple script to block IPs that try brute force at your host, preventing you from use a alternative ssh port, as example.

The script runs over /var/log/messages and detect via regex brute force attemps, and add IPs to /etc/hosts.deny

Code:

#!/bin/bash

cp /etc/hosts.deny /var/tmp/hosts.deny

# Jun  8 00:39:43 mintaka sshd[23332]: User root from 222.77.183.51 not allowed because not listed in AllowUsers
egrep "$(date +%b) ($(date +%d)|$(date +%e)).*User .* from [a-z0-9.]* not allowed because not listed in AllowUsers" /var/log/messages | sed -e 's/.* from ([a-z0-9.]*) .*/1/' | sort | uniq | sed -e 's/^/ALL:/' > /etc/hosts.deny ;
#Jun  8 11:54:33 mintaka sshd[31221]: Invalid user bob from 62.204.145.224
egrep "$(date +%b) ($(date +%d)|$(date +%e)).*Invalid user .* from [a-z0-9.]*$" /var/log/messages | sed -e 's/.*Invalid user .* from//' | sort | uniq | sed -e 's/^/ALL:/' >> /etc/hosts.deny ;

diff -u /etc/hosts.deny /var/tmp/hosts.deny &>/dev/null || (echo "** hosts.deny updated **" ; cat /etc/hosts.deny)

Script working:

Sep 2 16:55:02 mintaka -- MARK --
Sep 2 13:58:10 mintaka sshd[20790]: Did not receive identification string from 189.2.118.72
Sep 2 13:58:34 mintaka sshd[20795]: Invalid user suporte from 189.2.118.72
# Brute force attemp
Sep 2 13:58:41 mintaka sshd[20798]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:43 mintaka sshd[20800]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:46 mintaka sshd[20802]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:49 mintaka sshd[20804]: Invalid user suporte from 189.2.118.72
Sep 2 13:58:51 mintaka sshd[20806]: Invalid user suporte from 189.2.118.72
Sep 2 13:59:24 mintaka sshd[20817]: Did not receive identification string from 189.2.118.72
# Script running
** hosts.deny updated **
ALL:74.221.239.100
ALL: 189.2.118.72
ALL: 200.27.79.101
ALL: 74.221.239.100
# and now IPs are blocked
Sep 2 14:00:09 mintaka sshd[20826]: Invalid user teste2008 from 189.2.118.72
Sep 2 14:00:10 mintaka sshd[20864]: refused connect from 189.2.118.72 (189.2.118.72)

I run in my machine every two minutes 🙂

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

19 Responses to “Atualize o hosts.deny para bloquear tentativas de brute force”

  1. kate middleton bride figurine April 21, 2012 at %I:%M %p #

    Hi, Neat post. There’s a problem with your web site in internet explorer, might test this¡K IE still is the marketplace leader and a large component to other folks will omit your great writing because of this problem.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  2. motorcycle transport April 20, 2012 at %I:%M %p #

    Fantastic post I am just taking in on motorcycles and this post really helped me out! I really appreciate the effort.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  3. Sue Hochstetler April 19, 2012 at %I:%M %p #

    The actual clearness inside your post is simply spectacular and that i can assume you are an expert on this subject.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  4. opalanie natryskowe April 18, 2012 at %I:%M %p #

    Sorry for the huge review, but I’m really loving the new Zune, and hope this, as well as the excellent reviews some other people have written, will help you decide if it’s the right choice for you.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  5. download here April 18, 2012 at %I:%M %p #

    You really make it appear so easy along with your presentation however I find this topic to be really one thing that I think I would by no means understand. It seems too complex and very vast for me. I’m taking a look forward to your subsequent publish, I’ll attempt to get the hold of it!

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  6. Wendie Raju April 11, 2012 at %I:%M %p #

    Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point. You definitely know what youre talking about, why waste your intelligence on just posting videos to your weblog when you could be giving us something enlightening to read?

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  7. Houses to let in Newcastle April 10, 2012 at %I:%M %p #

    http://propertiestolet.insanejournal.com/data/rss

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  8. Biuro Podróży April 6, 2012 at %I:%M %p #

    Wonderful work! That is the kind of information that are meant to be shared around the internet. Disgrace on Google for not positioning this publish upper! Come on over and discuss with my website . Thank you =)

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  9. Hunter Schwebach April 2, 2012 at %I:%M %p #

    This is a really good site post, im delighted I came across it. Ill be back down the track to check out other posts that

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  10. Latonya Hinde March 30, 2012 at %I:%M %p #

    I think that what you wrote made a great deal of sense. However, consider this, suppose you typed a catchier post title? I am not saying your content is not solid., however what if you added something to possibly get a person’s attention? I mean Atualize o hosts.deny para bloquear tentativas de brute force | Dev With Passion is a little boring. You ought to look at Yahoo’s home page and see how they create news headlines to get viewers to open the links. You might try adding a video or a pic or two to grab readers interested about what you’ve got to say. Just my opinion, it might make your posts a little livelier.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  11. Biuro Podrozy March 29, 2012 at %I:%M %p #

    I really like what you guys are up too. This kind of clever work and coverage! Keep up the excellent works guys I’ve included you guys to my own blogroll.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  12. Ada Cornwell March 26, 2012 at %I:%M %p #

    […]what follows are a handful of urls to webpages we connect to as we feel these are well worth visiting[…]

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  13. http://diamondweddingband.ca March 19, 2012 at %I:%M %p #

    What i do not realize is if truth be told how you’re not actually a lot more neatly-favored than you may be now. You are very intelligent. You understand therefore considerably in relation to this subject, produced me in my opinion imagine it from numerous various angles. Its like women and men are not fascinated except it’s one thing to accomplish with Girl gaga! Your personal stuffs great. Always care for it up!

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  14. Gama March 12, 2010 at %I:%M %p #

    Impressionante!
    Estava justamente hoje de manhã pensando em como fazer um script desses para detecção de invasões via SSH e acho isso aqui.
    Muito bom!
    Com certeza vou ter de melhorar meu know-how de egrep e sed para fazer algo parecido.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  15. bimo September 14, 2009 at %I:%M %p #

    Hello…the script is not working for me…

    Output is gt, no such command..

    Where i am doing wrong?

    Thanks..

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • Felipe 'chronos' Prenholato September 14, 2009 at %I:%M %p #

      Hum… maybe your distro and/or version of sshd output wrong entries in different format than my. Probabily you need to change regex of egrep :).

      Maybe is better idea check for other scripts/softs that do same thing, check links of comments 😉

      VA:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  16. Luiz Agostinho (fl0cker) September 4, 2009 at %I:%M %p #

    Fala Dr. Chronos!

    Eu uso uma solução bastante parecida que é o denyhosts, funciona no mesmo estilo!

    Abraço!

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Leave a Reply