Block IP

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Is there any way that can detect random ssh login attempts and
blacklist (temporarily or permanently) the IP address after X

What I'd like to do is block a particular IP address if there are more
than, say, 5 attempted logins from nonexistent usernames, and more
than 10 failed logins from existent usernames.

I've been searching web and find nothing.
Thank you for your help,

Re: Block IP sez:
Quoted text here. Click to load it

This generally isn't done because locking your boss out of the netwok
after he mistypes his password 5 times in a row is usually a career-
limiting move. Locking yourself out of a system colocated 500 miles
away is even worse.

Also because depending on your setup you may want to lock them out
in /etc/hosts.deny, in firewall rules, or both.

It can be scripted easily enough with e.g. swatch and perl.

Riding roughshod over some little used trifle like the English language is not a
big deal to an important technology innovator like Microsoft. They did just that
by naming a major project dot-Net (".Net").  Before that, a period followed by a
capital letter was used to mark a sentence boundary. --T. Gottfried, RISKS 21.91

Re: Block IP

Quoted text here. Click to load it

Any samples of script? Anyway I would like to know if there is an
option in configuration files of sshd to block certain IP ?

Re: Block IP sez:
Quoted text here. Click to load it

Not that I can think of. They really really should have put Host *
blocks in sshd_config.

And no, I don't have a script sample.

Tlaloc: What was Elrond's second name?

Re: Block IP sez:
Quoted text here. Click to load it

If your platform has PAM and your SSH implementation supports it, you
can use a pam module (eg pam_tally or pam_abl) to implement this.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: Block IP

On Fri, 18 Mar 2005 06:49:04 -0800, wrote:

Quoted text here. Click to load it

    Since I have a similar problem I would like to ask: Would it not be
possible for you to use the AllowUsers or DenyUsers keywords in the sshd
configuration file? I guess that if you have hundreds of legitimate user
names, possible changing on a regular basis, this might not be
appropriate. But, if this is not your case, maybe using those keywords
will work for you.

Re: Block IP

Hash: SHA1

Just remember that what ever you do, an IP address does not always equal a
person and can cause headaches for other uses, and they may have no idea
what caused it. wrote:

Quoted text here. Click to load it
- --
Benn Newman -
SDF Public Access UNIX System | gopher:// |
Version: GnuPG v1.4.0 (Darwin)


Re: Block IP

That's true, however if you're getting bad behaviour from that IP then I
suspect the admin of that machine might have bigger headaches than you
blocking access to your machine.

For the OP; yes you can detect these ssh attempts. A combination of some
scripting language and your logs is a perfect way to stop such attacks.

One caveat though,  make sure you don't go and ban your own set of IPs. :]


Benn Newman wrote:
Quoted text here. Click to load it

Site Timeline