From Leo's Notes
Last edited on 15 June 2020, at 00:21.

/etc/hosts.deny is a file containing hosts that are not allowed to authenticate on the system.


Blocking IPs after X SSH Authentication Failures

Although there are scripts like DenyHosts, I wanted something that I could run without needing python. What I came up with is a simple one-liner shell command:

# cat /var/log/secure* | grep Bye | awk '{print $9}' | sort | uniq --count | awk '$1 >= 50{print "sshd: " substr($2, 0, length($2)-1)}' >> /etc/hosts.deny

That should dump all the IPs in your /var/log/secure which failed at least 50 SSH logins into your /etc/hosts.deny file.

One caveat with this is that multiple IPs will be added to the deny.hosts file if this is ran multiple times. However, this should be easily resolved by saving the IPs in a separate file, and then removing duplicate values using sort & uniq before being dumped into the hosts.deny file.