Overview

Blocks IP addresses based on SSH or FTP incoming login failures, by looking at SSHD and ProFTPD logs, and updating hosts.allow as needed.

If you are a Linux user running SSH server, it is likely that you have been probed by script kiddies, and your daily LogWatch emails will show 100-150 login attempts in a short interval, before they go away. There is no option in OpenSSH to make it difficult to slow down repeated login attempts coming from one IP address -- logins occur at a pretty fast clip -- one attempt every few seconds.

For a home or small business linux user at least, it does not make sense to keep the door open for logins for so long. Use this script, and see the daily LogWatch email notifications now showing only 7-9 login attempts, and remote hosts start getting "Refused incoming connection" messages. Then, reading the daily LogWatch emails is not terrifying at all, in fact, it may be fun to see these script kiddies get blocked!

  • Be sure to acquaint yourself with material available on the web, related to security, and denial-of-service. In particular, see the discussion in the OpenSSH mailing list related to SSHD blocking and FAIL_DELAY:
  • Make your sshd/proftpd configurations as tight as possible. For example, for sshd - turn off root logins (PermitRootLogin), use the AllowUsers keyword to only allow one or a select usernames to be accepted. As far as possible, try to avoid common usernames, make even the user names hard to guess. For ProFTPD, use /etc/ftpusers, which contains names of users that will not be allowed to use FTP, root should be in there.
  • Last, but not least - always use strong passwords! That may be the only final protection.