Blocking IPs after X many SSH auth failures

Although there are scripts like DenyHosts, I wanted something that I could run without needing python. What I came up with is a simple one-liner shell command:


cat /var/log/secure*|grep Bye|awk '{print $9}'|sort|uniq --count | awk '$1 >= 50{print "sshd: " substr($2, 0, length($2)-1)}' >> /etc/hosts.deny

That should dump all the IPs in your /var/log/secure which failed at least 50 ssh authentication into your hosts.deny file.

One caveat with this is that multiple IPs will be added to the deny.hosts file if this is ran multiple times. However, this should be easily resolved by saving the IPs in a separate file, and then removing duplicate values using sort & uniq before being dumped into the hosts.deny file.

Leave a Reply

Your email address will not be published.