As I was experimenting, creating a few bash scripts to view and in addition monitoring a few logs on my Linux box, I came across a few IP addresses showing up associated with an invalid SSH login. I will show you the scripts in another post because someone trying to access your system and how you can block them takes priority.
SSH stands for secure shell. It is a means of creating a secure cryptographic connection on an unsecured network. When set up properly, it can be a very secure tool for managing servers, routers, switches, file transfers or even help create a secure tunnel to your home network. With that description aside lets delve into how you can see and filter your log files for failed SSH login attempts.
- First enter the command below.
sudo cat /var/log/auth.log | grep 'sshd.*Invalid'
The above command line makes use of the concatenate command which reads the auth.log file. This is where all successful and unsuccessful login information is stored on Linux systems and also displays this information in the terminal. The grep command looks for specific strings in the log file and filters accordingly. In my case I am looking for anything that shows up with the words “sshd” and “invalid.”
You should see a similar output to the one below.
Now, as you can see I received multiple attempts from the same IP address. It is my guess that this is some sort of brute force attack where multiple passwords are tried with similar user names. Doing some quick research, the country of origin for this IP Address was South Africa ( which could also be the proxy IP address a hacker is hiding behind).
Next we will use IPTABLES to block the offending IP address. IPTABLES is a application that comes preinstalled on most Linux systems and allows a user to configure tables provided by the Linux kernel firewall.
2. So the following command will block the attacker IP address permanently or until removed.
sudo iptables -A INPUT -s 196.2.74.56 -j REJECT
Since the information on IPTABLES is so vast, I will end this post here.However, IPTABLES is a very useful tool for blocking an unwanted guest with the use of one command line .