Wikipedia

Search results

07 April 2019

Find and block failed SSH logins on CentOS

Got a problem with others trying to brute force the root password on your box?


I'm not running vsftpd, yet it's a similar process. My concern is limited to third-parties trying to access my box with SSH.
This is what I did:
Tecmint showed me how to grep the IPs: 
# egrep "Failed|Failure" /var/log/secure
Apr  7 03:42:13 67 sshd[4868]: Failed password for root from 186.233.231.44 port 56075 ssh2
Apr  7 03:45:19 67 sshd[4871]: Failed password for root from 38.140.192.165 port 52138 ssh2
Apr  7 03:47:16 67 sshd[4874]: Failed password for root from 35.221.157.112 port 36306 ssh2
Apr  7 03:49:01 67 sshd[4877]: Failed password for root from 153.127.193.168 port 40604 ssh2
Apr  7 03:50:54 67 sshd[4881]: Failed password for root from 89.109.54.214 port 52268 ssh2
Apr  7 04:01:07 67 sshd[4900]: Failed password for root from 14.63.192.249 port 37507 ssh2
Apr  7 04:04:49 67 sshd[4905]: Failed password for root from 41.228.165.225 port 35462 ssh2
Apr  7 04:05:40 67 sshd[4909]: Failed password for root from 195.142.122.126 port 42548 ssh2
Apr  7 04:16:17 67 sshd[4914]: Failed password for root from 103.120.224.3 port 51416 ssh2
Apr  7 04:26:00 67 sshd[4919]: Failed password for root from 139.59.79.56 port 40074 ssh2
Apr  7 04:37:27 67 sshd[4925]: Failed password for root from 103.27.236.2 port 60528 ssh2
Apr  7 04:44:33 67 sshd[4968]: Failed password for root from 18.214.68.139 port 60896 ssh2
Apr  7 04:53:24 67 sshd[4991]: Failed password for root from 193.36.184.175 port 41408 ssh2
Apr  7 04:56:09 67 sshd[4995]: Failed password for root from 1.250.62.223 port 59052 ssh2
Apr  7 05:00:45 67 sshd[4998]: Failed password for root from 183.82.63.212 port 43840 ssh2
Apr  7 05:05:41 67 sshd[5016]: Failed password for root from 186.103.146.148 port 55982 ssh2
Apr  7 05:10:14 67 sshd[5038]: Failed password for root from 68.183.4.19 port 34894 ssh2

From there I updated my /etc/hosts.deny file to the following: 
# /etc/hosts.deny
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd: 186.233.231.44
sshd: 38.140.192.165
sshd: 35.221.157.112
sshd: 153.127.193.168
sshd: 89.109.54.214
sshd: 14.63.192.249
sshd: 41.228.165.225
sshd: 195.142.122.126
sshd: 103.120.224.3
sshd: 139.59.79.56
sshd: 103.27.236.2
sshd: 18.214.68.139
sshd: 193.36.184.175
sshd: 1.250.62.223
sshd: 183.82.63.212
sshd: 186.103.146.148
sshd: 68.183.4.19

Just let systemd know it needs to update changes, and voila. It's done. 
# systemctl restart sshd
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)