it is a common thing and a massive traffic causing annoyance… somewhere someone tries all possible usernames for ssh: this bunch of iptables/nftables scripts will:
- create a list of blockable IP adresses every 3h
- and thus block those IPs for 3h
- it works, but there is most likely a lot that can be improved, as it is still using iptables commands that are only there for backward compatibility
hostnamectl; # tested on Operating System: Debian GNU/Linux 13 (trixie) Kernel: Linux 6.12.88+deb13-arm64 Architecture: arm64 apt update apt install iptables; # is actually nftables vim /scripts/firewall/firewall_status.sh while true; do echo "===== iptables =====" /sbin/iptables -L -n -v # iptables -S # # iptables -L INPUT -v -n # echo "===== firewalld =====" # firewall-cmd --list-all # firewall-cmd --list-ports sleep 1; clear; done; vim /scripts/firewall/firewall_ban_ip.sh echo "banning ip until firewall restart: "$1 /sbin/iptables -I INPUT -s $1 -j DROP # service iptables save vim /scripts/firewall/block_ssh_auth_bruteforce.sh #!/bin/bash echo "reset all blocked ip..." nft flush ruleset; # debian 10 to 13 uses nftables even when there is a iptables binary # /sbin/service iptables restart # /etc/alternatives/iptables -> /usr/sbin/iptables-nft file="/var/log/auth.log.block_those" # filter out all lines with "Invalid user" sudo grep 'Invalid user' /var/log/auth.log | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' > $file # remove duplicates sudo awk '!seen[$0]++' $file > /var/log/auth.log.block_those.tmp && sudo mv /var/log/auth.log.block_those.tmp $file while IFS= read -r IP_TO_BLOCK; do [ -z "$IP_TO_BLOCK" ] && continue echo "blocking $IP_TO_BLOCK ..." /scripts/firewall/firewall_ban_ip.sh $IP_TO_BLOCK done < "$file" crontab -e; # every 3 hours create a new list of IPs to block 0 */3 * * * /scripts/firewall/block_ssh_auth_bruteforce.sh # now run the script: /scripts/firewall/block_ssh_auth_bruteforce.sh # afterwards run /scripts/firewall/firewall_status.sh ===== iptables ===== Chain INPUT (policy ACCEPT 356K packets, 240M bytes) pkts bytes target prot opt in out source destination 56 3360 DROP all -- * * 157.7.113.83 0.0.0.0/0 52 3120 DROP all -- * * 186.10.86.130 0.0.0.0/0 52 3120 DROP all -- * * 130.162.177.104 0.0.0.0/0 0 0 DROP all -- * * 59.110.9.189 0.0.0.0/0 8 416 DROP all -- * * 185.16.214.226 0.0.0.0/0 0 0 DROP all -- * * 34.156.207.129 0.0.0.0/0 0 0 DROP all -- * * 35.205.153.229 0.0.0.0/0 0 0 DROP all -- * * 51.77.158.34 0.0.0.0/0 0 0 DROP all -- * * 58.210.182.18 0.0.0.0/0 0 0 DROP all -- * * 65.49.1.86 0.0.0.0/0 0 0 DROP all -- * * 189.194.140.170 0.0.0.0/0 0 0 DROP all -- * * 5.175.249.90 0.0.0.0/0 0 0 DROP all -- * * 192.3.218.12 0.0.0.0/0 0 0 DROP all -- * * 114.34.130.221 0.0.0.0/0 0 0 DROP all -- * * 87.226.190.225 0.0.0.0/0 0 0 DROP all -- * * 95.85.226.199 0.0.0.0/0 0 0 DROP all -- * * 147.45.50.81 0.0.0.0/0 ... this is the list of all blocked IP adresses
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!
