How To Stop and Block Script Kiddies Attacking Your SSH Port

Hundreds of windows scripts and softwares can be used to launch a brute force SSH attack to your SSH ports. These brute force attacks can easily send a combination of username and password pairs into your SSH port on automatic mode or on scheduled time period.

Most alarming feature of these kind of scripts and program malwares is that brute force details like username and password, can automatically be fed and supplied from millions of possible usernames and passwords pairs using a large base of dictionary file. The dictionary is widely available from internet and is compiled to have the most commonly used username and password combinations consisting of standard english names, numbers and special character combinations to provide a higher ratio of successful brute force SSH attack.

There are a lot of ways to handle SSH brute force attacks. One approach is by using Blockhosts rpm package.

Blockhosts scans log files for matching signatures. Blockhosts keeps track of records of how many times an attacking host failed to login via SSH and other ports before dropping the attacker to deny host file or blackhole file list. In other words, blockhost offers an automatic blocking of abusive IPs against specific daemon service like SSH ports, FTP ports and the like.

BlockHosts Installation

Blockhosts is not currently supported by Fedora repos. Download blockhosts rpm here and install it using rpm package installer.

# rpm -ivh BlockHosts-2.4.0-1.noarch.rpm

BlockHosts Setup and Configuration

Backup and modify /etc/blockhosts.cfg

Blockhosts would work by default configuratoin. Blockhosts installed its configuration file to

/etc/blockhosts.cfg

However, the most important line from /etc/blockhosts.cfg is the threshold value.

Blockhosts Threshold

This is the trigger point by blockhosts where the process of blocking abusive host would then be triggered.

COUNT_THRESHOLD = 7

Remember to remove comment characters # when modifying blockhosts configuration value.

Blockhosts Deny File

This could be either /etc/hosts.allow or /etc/hosts.deny files and can be configured with the similar setup line.

HOSTS_BLOCKFILE = "/etc/hosts.deny"

Blockhosts Deny Line

When blockhosts blocks an abusive IP, it drops the current IP to blockhosts deny file followed by SSH recognized line like

HOST_BLOCKLINE = ["ALL: ", " : deny"]

Accept as default.

Blockhosts Age Threshold

The main blockhosts program feature is to lessen the paranoid level of blocking hosts permanently. An optional threshold value measured in number of hours can be specified. This value can unblock and release the abusive IP addresses from the blackhole list or deny file.

AGE_THRESHOLD = 12

The above line leaves an abusive host or IP to blocked list for 12 hours quarantine time.
Blockhosts Whitelist and Blacklist Labels

Identity excemptions using black and white list is also featured by blockhosts. A black and white list enlistment for multiple hosts can be done by using the below configuration lines.

WHITELIST = [ "127.0.0.1", "10\.0\.0\..*", ]
BLACKLIST = [ "192.168.10.1", "10\..*", ]

BlockHosts Monitored Log Files

Specify here the log files that blockhosts needs to monitor from

LOGFILES = [ "/var/log/secure", "/var/log/vsftpd.log", ]

Log file(s) can be separated by comma.

Blockhosts Alerts and Email Notification

You can edit the blockhosts mail feature for alerts and email notifications.

MAIL = True
NOTIFY_ADDRESS = 'root@localhost.localdomain'

Lastly, edit your blockhosts deny file. You can refer to block host deny file.

# nano -w /etc/hosts.deny

Alternatively, if you specify the same deny host file of /etc/hosts.allow

# nano -w /etc/hosts.allow

Append the below lines into your blockhosts deny file.

#---- BlockHosts Additions

#---- BlockHosts Additions

Save and exit.

Blockhosts package supports blocking hosts based from failed attempts on ports by daemon services like OpenSSH, ProFTPd, VsFTPd, Pure-FTPd and more. For more installation help, you can view Blockhosts help file.

# nano -w /usr/share/doc/BlockHosts-2.4.0/INSTALL

Execute Blockhosts Binary


# blockhosts.py --verbose

The above line scans your blockhost log files for possible brute force attack and failed authentication logins. If found, abusive hosts and IP addresses would be enlisted to blockhosts deny file.

Blockhosts Crontab Scheduling

By regularly checking your system logs for possible abusive hosts, you can schedule a regular blockhosts check

Say, every 10 minutes check interval

*/10 * * * * /usr/bin/blockhosts.py  > /dev/null 2>&1

The above line executes blockhosts phyton binary to check and monitor its log files for possible abusive script kiddies and port attacks. More info here.

All is done.