# Block IP Address from SSH

## gauntalus

Hey, I wrote a tiny little perl script to collect information on invalid SSH login attempts on my webserver.  It totals up all the invalid logins from each IP and lists them out in an easy to read format, now I just want to add a bit to block the ips that occur most frequently.  Here's a snippet of the output:

```

$ ./invalid_users.pl

Logged attacks from 59 unique sources...

218.38.18.28:           868

61.54.44.146:           597

61.219.134.90:          432

125.245.85.252:         377

217.160.111.47:         323

210.121.206.210:        309

210.97.134.22:          278

125.250.248.130:        256

...

*snip*

```

So my question is this, given an IP address, how do you block them from attempting to login via SSH?

----------

## think4urs11

Use the search, gauntalus: https://forums.gentoo.org/viewtopic-t-421706-highlight-ssh+block.html

----------

## gauntalus

A simple RTFM would have sufficed  :Smile:  j/k!  But yes, I saw that post, I just didn't know if there was a simple way to do just exactly was I was interested in: Blocking a specific IP from attempting to SSH into my server.  I didn't want to set up a complex system to do it since a simple system such as the one I intend to devise should be enough for my little no-traffic blog.

I suppose since a lot of people are pointing me down this route that I'll look into it a bit more, so thanks for the link never the less.

----------

## think4urs11

well, the other option would be to extend your script in a way that it fires up an iptables DROP with source the ip you have found to be intrusive and your servers ip+ssh port as destination.

----------

## ronmon

No need to reinvent the wheel.

```

qpkg -i denyhosts

app-admin/denyhosts-2.2

   DenyHosts is a utility to help sys admins thwart ssh hackers [ http://www.denyhosts.net ]

```

----------

## Naib

 *ronmon wrote:*   

> No need to reinvent the wheel.
> 
> ```
> 
> qpkg -i denyhosts
> ...

 

or try blockhosts a similar thing both have their advantages and disadvantages.

I prefer blockhosts since it does not run as a daemon and only when a login is attempted

Here is my auto-populated hosts.allow

```

//LKGD718D2~# cat /etc/hosts.allow

########################################

# Whitelist

#######################################

sshd : 192.168.1. : allow

sshd : 195.33.114.129 : allow

#######################################

# Blacklist

######################################

#ALL :

#---- BlockHosts Additions

ALL:  203.123.143.45 : deny

ALL:    61.14.17.108 : deny

ALL:  210.87.136.171 : deny

ALL: 193.151.242.155 : deny

ALL:  221.254.183.50 : deny

ALL:    217.17.47.97 : deny

ALL:   62.15.230.169 : deny

ALL:  66.221.194.149 : deny

ALL:   195.150.178.2 : deny

ALL:   64.34.179.115 : deny

ALL: 209.120.238.110 : deny

ALL:   82.35.224.244 : deny

ALL:   61.211.230.98 : deny

ALL:    125.0.90.192 : deny

ALL:   219.93.241.94 : deny

#bh: ip: 193.151.242.155 :  10 : 2006-05-17-10-18

#bh: ip:    125.0.90.192 :   6 : 2006-05-16-09-30

#bh: ip:   219.93.241.94 :   6 : 2006-05-15-11-20

#bh: ip:   195.150.178.2 :   6 : 2006-05-14-22-46

#bh: ip:    61.14.17.108 :   6 : 2006-05-14-11-25

#bh: ip:  66.221.194.149 :   6 : 2006-05-14-02-55

#bh: ip:   80.55.196.142 :   4 : 2006-05-13-13-01

#bh: ip:  203.123.143.45 :   6 : 2006-05-12-22-56

#bh: ip:   62.15.230.169 :   6 : 2006-05-12-15-34

#bh: ip:   64.34.179.115 :   6 : 2006-05-12-08-53

#bh: ip:    217.17.47.97 :   6 : 2006-05-11-22-44

#bh: ip:  210.87.136.171 :   6 : 2006-05-11-09-23

#bh: ip:   61.211.230.98 :   6 : 2006-05-10-23-58

#bh: ip:  221.254.183.50 :   6 : 2006-05-10-22-41

#bh: ip:   222.216.27.40 :   1 : 2006-05-10-04-32

#bh: ip:    61.143.38.56 :   3 : 2006-05-10-03-23

#bh: ip: 209.120.238.110 :   6 : 2006-05-09-09-14

#bh: ip:   82.35.224.244 :   6 : 2006-05-08-09-44

#bh: logfile: /var/log/messages

#bh: offset: 117814

#bh: first line:May  7 21:21:18 (none) auth.info sshd[1593]: Accepted publickey for ###### from 192.168.1.2 port 2117 ssh2

#---- BlockHosts Additions

sshd : ALL : spawn (/usr/bin/blockhosts.py)

sshd : ALL : allow

```

I am running a 133MHz fileserver with SSH access and it was getting really sluggish with all the script-kiddies trying (they wont get in: no root login, only one user can SSH in [silly long name] no-passwd auth all done via a keyfile and even if they did get in they then have to work out the root passwd)

----------

## htranou

I like fail2ban to block ip. You can choose the command to run when banning, so you can drop only the connections on the service port (ssh, ftp, or whatever fail2ban monitors) or drop all connections from this ip.

----------

## warthog

 *ronmon wrote:*   

> No need to reinvent the wheel.
> 
> ```
> 
> qpkg -i denyhosts
> ...

 

I started using denyhosts, and it's working great. I configured it to send me an e-mail everytime it adds a host to the deny list, and from grepping the log files, I can see that it detects and blocks script kiddies fairly quickly.

----------

## guero61

I'll register again - I'm an awfully big fan of -mrecent for iptables.  Everybody has these big thick scripts that arguably can offer more functionality, but my approach takes no maintenance and can still be used to notify me of blocked systems w/a cron job.  My preference..    :Wink: 

----------

