First modify the SSH port.
Create Script pb_ssh.sh
#! /bin/bash
#crontab execute every 1 minutes #*/1 * * * */root/pb_ssh.sh
# Get Secure records in the first 1 minutes, Count SSH authentication failed IP and its number of failures
Scanner= ' grep ' $ (date-d -1min|awk ' {print substr ($0,10,7)} ') "/var/log/secure|awk '/failed/{print $ (NF-3)} ' |awk-f ':" ' { Print $NF} ' |grep-v From|sort|uniq-c|awk ' {print $ "=" $;} ' `
For I in $SCANNER
Do
# Number of authentication failures taken
Num= ' echo $i |awk-f= ' {print $} '
# take its IP address
Ip= ' echo $i |awk-f= ' {print $} '
# If it has failed more than 5 times and has not been blocked before, add a policy to block it and log
If [$NUM-gt 5] && [-Z "' Iptables-vnl input|grep $IP '"]
Then
/sbin/iptables-i input-s $IP-j DROP
echo "' Date ' $IP ($NUM)" >>/var/log/scanner.log
Fi
Done |
Restore the blocked IP, log in from another server, restart the Firewall service
Iptables-l
IPTABLES-VNL INPUT
Configuration steps
Su-root
Chown Root.root pb_ssh.sh
chmod 755 pb_ssh.sh
#crontab prevent SSH scanning every 1 minutes
*/1 * * * */root/pb_ssh.sh
or use denyhosts software.
Linux protects against SSH brute force scan IP