Re: Limit the number of erroneous logins of root from the same IP

On 2011-11-14, Luis Gon?alves <luisgo@xxxxxxxxxx> wrote:
Dear All

There any way to limit the number erroneous logins of root from the
same IP? After the limit that IP can not try to login anymore.

Of course that could allow a denial of service attack--someone tries to
log in from an IP you want to use, and deny your login.
I assume that you are concerned about login attempts from people trying
to break in

Anyway, you could use /etc/hosts.allow
sshd:111.222.333.444 222.333.444.111 ....:deny
to deny any ssh login from those IP addresses (Note you MUST make sure
that there are fewer than 128 addresses on any one line. The tcpwrapper suite has a bug
which causes it to loop forever if there are more. Venema refuses to fix
the bug. )

Eg run a script every 5 min via cron with
grep 'Failed password for root' /var/log/messages>$OUTPUT
for i in `awk '{print $11}' $OUTPUT|sort -u`
N=`grep "$i " $OUTPUT|wc -l`
if [ "$N" -gt 5 ]; then
if ! grep "$i " /etc/hosts.allow>/dev/null; then
/bin/ed /etc/hosts.allow 2>/dev/null <<EOF
/^sshd.*deny *$/s/:deny/ $i :deny/
echo "Too many failed ssh root attempts from $i"

awk 'BEGIN{f=0}
$0~/sshd.*deny$/{match($0,/^sshd.*deny$/);s=RLENGTH;f=f+1 } s>1024 &&
f==1 {print "sshd: :deny";s=0} {print $0}' /etc/hosts.allow >/etc/hosts.allow$$
mv -f /etc/hosts.allow$$ /etc/hosts.allow
chmod a+r /etc/hosts.allow

The tries could be consecutive or during a day. After that no more


Luis Gon?alves