In this article, we will learn about finding the failed SSH attempts and blocking those IP addresses. To find failed attempts, we will use grep as well as cat commands. The login attempts to the SSH Server are tracked and recorded into the rsyslog daemon.
Prerequisites
Besides having a Terminal open, we need to remember a few concepts:
- Basic knowledge of the
grepandcatcommands - Ensure that
grepis installed
How to do it
We will find the failed SSH login attempts using the grep and cat commands. First, be a root user. Type the sudo su command. Next, run the following command to fetch the failed attempts using the grep command:
# grep "Failed password" /var/log/auth.logYou can do this using the cat command also. Run the following command:
# cat /var/log/auth.log | grep "Failed password"You can block the particular IP address that has failed SSH login attempt using tcp-wrapper. Navigate to the /etc directory. Look for the hosts.deny file, add the following line in the file, and save the file:
sshd: 192.168.0.1/255.255.255.0How it works
In this, we used the cat and grep commands. The most common use of the cat command is to display the contents of a file, and grep is a Linux utility used for searching a file for a particular pattern; then, it will display the lines that will have the particular pattern.
In the previous examples, we were searching for a failed login attempt. We are matching such key words using the grep command and then we are displaying it using the cat command.
To block an IP address, we just added a single line into the hosts.deny file, which will block that particular IP address.
