Blocking IP addresses from failed SSH attempts
In this recipe, we will learn about finding the failed SSH attempts and blocking those IP addresses. To find failed attempts, we will use grep
as well as cat
commands. The login attempts to the SSH Server are tracked and recorded into the rsyslog
daemon.
Getting ready
Besides having a Terminal open, we need to remember a few concepts:
- Basic knowledge of the
grep
andcat
commands - Ensure that
grep
is installed
How to do it…
We will find the failed SSH login attempts using the grep
and cat
commands. First, be a root user. Type the sudo su
command. Next, run the following command to fetch the failed attempts using the grep
command:
# grep "Failed password" /var/log/auth.log
You can do this using the cat
command also. Run the following command:
# cat /var/log/auth.log | grep "Failed password"
You can block the particular IP address that has failed SSH login attempt using tcp-wrapper. Navigate to the /etc
directory. Look for the hosts.deny
file, add the following...