Skip to content

Instantly share code, notes, and snippets.

@rohan-molloy

rohan-molloy/ssh-auto-blacklist.md

Last active December 22, 2019 05:42
Show Gist options
  • Save rohan-molloy/f464f0a9135b9fe949bf99b0886c4516 to your computer and use it in GitHub Desktop.
Save rohan-molloy/f464f0a9135b9fe949bf99b0886c4516 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ssh-auto-blacklist.md

Automated Blacklisting of SSH scanners

Create iptables & ipset

ipset create scum hash:ip
iptables -t raw -A PREROUTING -j BLACKLISTING
iptables -t raw -A BLACKLISTING -m set --match-set scum src -j LOG
iptables -t raw -A BLACKLISTING -m set --match-set scum src -j DROP

Add IPs that have failed more than 30 times to the blacklist

#!/bin/bash
######################################
## /usr/local/sbin/update_blacklist ##
######################################
set -o nounset
set -o pipefail
declare ipset=$1
journalctl -u ssh -u sshd --boot| awk '/Invalid/{print $(NF-2)}' \
| sort --numeric-sort \
| uniq --count \
| sort --numeric-sort \
| awk '$1>=30{print $2}' \
| xargs -n1 /usr/sbin/ipset -q -! add $ipset;

Run a timer to grow the list

systemd-run --on-active=5 --on-unit-active=300 --unit update-blacklist /usr/local/sbin/update-blacklist scum
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment