SSH Log Checker & IP Ban with PERL

It is always nice when your servers are running and everyone is happy. But anyone with any experience in this business knows that every server is under constant attack from remote countries. You have to be better than the hacker which is not always possible.

Like all the scripts on this website, there is a real need for this application on web servers. The only safe server is one that is not connected to the internet. As we have seen even APACHE has had vulnerabilities allowing root access via an http port. So security is always the #1 concern for an administrator.

But the real threat is via FTP and SFTP ports. Hosting companies often have many clients on one server and with great usernames and passwords that the customers often make up, like user "FRED" and pass "FRED". With security like that, it is no wonder that hackers are looking for obvious holes. Although most of us have much stronger passwords, the sheer brute forces of several servers attacking your ssh port at the same time can crash a daemon or prevent you from accessing your own server.

I have seen server crashing cpu loads as a result of brute force attacks on a ssh login. So one day I hacked up this little script to read the ssh login log and ban any ips that have failed login attempts.

I run my scripts every minute to prevet any attack from lasting more than 1 minute. But in most cases, every 15 minutes should be enough to prevent the login to create an extended Denial Of Service situation.

To Install The Script

The only thing to configure is the path to a banned ip list. This will store a list of ips that attempt to access your SSH login and fail a defined number of times. To prevent people from banning themselves we have set the faild number at 30. The directory must be writeable, but since the script is run by crontab, any directory should be fine. The default will be in the same directory as the script.

The script should be run from a non web accessible directory. That should not be a problem since most people using this script have dedicated servers. You wont run this if you just buy web space. This is for server administrators and hosting companies.

download the ssh login check script

Rename the script with a .cgi or .pl extension
upload the script in ASC or text mode
chmod the script 0755

Now, to make the script run at a regular interval. You will need to edit your crontab file. The file should be at /etc/crontab and will be a standard text file.

You will need to add the times to run the script. For example, if the script is located in /www/cgi-bin/sshlogincheck.cgi you can add to your crontab four lines to run it every 15 minutes.

0 * * * * root run-parts /www/cgi-bin/sshlogincheck.cgi
15 * * * * root run-parts /www/cgi-bin/sshlogincheck.cgi
30 * * * * root run-parts /www/cgi-bin/sshlogincheck.cgi
45 * * * * root run-parts /www/cgi-bin/sshlogincheck.cgi

To run the script every minute use only one line

* * * * * root run-parts /www/cgi-bin/sshlogincheck.cgi

It is a simple answer to a bigger problem. The advantage is that you can clear the ip tables and open ips again if needed. The ip tables are cleared on a reboot, so if you reboot, you need to delete the bannedips.txt so it wont skip past banned ips not currently in the ip tables. Additionally, by using ip tables you ban the ip from other port attacks, not just your ssh port.

One solution is to clear the bannedips.txt when the logs rotate. Although I like to run a script at start up to remove the bannedips.txt. Just a simple script with something like "unlink bannedips.txt".

The princeple can easily be applied to an apache log, mail log or any other log to prevent brute force attacks.

It may be overly simplified, but the solutions are slim. Everyone is configuring ssh to minimize logins and slow down attacks. But there is no way to just stop them with a simple script.

I will admit, this one needs some tuning. But it is a great starting point for any server administrator to secure up their ssh logins. And best of all, it is in perl and its free.