SSH Log Checker
& IP Ban with PERL
It is always nice when your servers are
running and everyone is happy. But anyone with any experience in
this business knows that every server is under constant attack
from remote countries. You have to be better than the hacker
which is not always possible.
Like all the scripts on this website, there
is a real need for this application on web servers. The only safe
server is one that is not connected to the internet. As we have
seen even APACHE has had vulnerabilities allowing root access via
an http port. So security is always the #1 concern for an
But the real threat is via FTP and SFTP
ports. Hosting companies often have many clients on one server
and with great usernames and passwords that the customers often
make up, like user "FRED" and pass "FRED".
With security like that, it is no wonder that hackers are looking
for obvious holes. Although most of us have much stronger
passwords, the sheer brute forces of several servers attacking
your ssh port at the same time can crash a daemon or prevent you
from accessing your own server.
I have seen server crashing cpu loads as a
result of brute force attacks on a ssh login. So one day I hacked
up this little script to read the ssh login log and ban any ips
that have failed login attempts.
I run my scripts every minute to prevet any
attack from lasting more than 1 minute. But in most cases, every
15 minutes should be enough to prevent the login to create an
extended Denial Of Service situation.
To Install The Script
The only thing to configure is the path to
a banned ip list. This will store a list of ips that attempt to
access your SSH login and fail a defined number of times. To
prevent people from banning themselves we have set the faild
number at 30. The directory must be writeable, but since the
script is run by crontab, any directory should be fine. The
default will be in the same directory as the script.
The script should be run from a non web
accessible directory. That should not be a problem since most
people using this script have dedicated servers. You wont run
this if you just buy web space. This is for server administrators
and hosting companies.
the ssh login check script
Rename the script with a .cgi or .pl
upload the script in ASC or text mode
chmod the script 0755
Now, to make the script run at a regular
interval. You will need to edit your crontab file. The file
should be at /etc/crontab and will be a standard text file.
You will need to add the times to run the
script. For example, if the script is located in /www/cgi-bin/sshlogincheck.cgi
you can add to your crontab four lines to run it every 15 minutes.
0 * * * * root run-parts /www/cgi-bin/sshlogincheck.cgi
15 * * * * root run-parts /www/cgi-bin/sshlogincheck.cgi
30 * * * * root run-parts /www/cgi-bin/sshlogincheck.cgi
45 * * * * root run-parts /www/cgi-bin/sshlogincheck.cgi
To run the script every minute use only one
* * * * * root run-parts /www/cgi-bin/sshlogincheck.cgi
It is a simple answer to a bigger problem.
The advantage is that you can clear the ip tables and open ips
again if needed. The ip tables are cleared on a reboot, so if you
reboot, you need to delete the bannedips.txt so it wont skip past
banned ips not currently in the ip tables. Additionally, by using
ip tables you ban the ip from other port attacks, not just your
One solution is to clear the bannedips.txt
when the logs rotate. Although I like to run a script at start up
to remove the bannedips.txt. Just a simple script with something
like "unlink bannedips.txt".
The princeple can easily be applied to an
apache log, mail log or any other log to prevent brute force
It may be overly simplified, but the
solutions are slim. Everyone is configuring ssh to minimize
logins and slow down attacks. But there is no way to just stop
them with a simple script.
I will admit, this one needs some tuning.
But it is a great starting point for any server administrator to
secure up their ssh logins. And best of all, it is in perl and