How to quickly block an IP address with IPTABLES on Linux.
As I was experimenting, creating a few bash scripts to view and in addition monitoring a few logs on my Linux box, I came across a few IP addresses showing up associated with an invalid SSH login. I will show you the scripts in another post because someone trying to access your system and how you can block them takes priority.
SSH stands for secure shell. It is a means of creating a secure cryptographic connection on an unsecured network. When set up properly, it can be a very secure tool for managing servers, routers, switches, file transfers or even help create a secure tunnel to your home network. With that description aside lets delve into how you can see and filter your log files for failed SSH login attempts.
- First enter the command below.
sudo cat /var/log/auth.log | grep 'sshd.*Invalid'
The above command line makes use of the concatenate command which reads the auth.log file. This is where all successful and unsuccessful login information is stored on Linux systems and also displays this information in the terminal. The grep command looks for specific strings in the log file and filters accordingly. In my case I am looking for anything that shows up with the words "sshd" and "invalid."
You should see a similar output to the one below.
Sep 30 04:24:46 kali sshd[30684]: Invalid user admin from 196.2.74.56 port 42001 Sep 30 04:24:50 kali sshd[30686]: Invalid user admin from 196.2.74.56 port 42286 Sep 30 04:24:56 kali sshd[30688]: Invalid user user1 from 196.2.74.56 port 42610 Sep 30 04:25:05 kali sshd[30696]: Invalid user admin from 196.2.74.56 port 43266 Sep 30 04:25:15 kali sshd[30702]: Invalid user monitor from 196.2.74.56 port 43939 Sep 30 04:25:29 kali sshd[30711]: Invalid user sales from 196.2.74.56 port 44961 Sep 30 04:25:33 kali sshd[30713]: Invalid user ftp from 196.2.74.56 port 45321 Sep 30 04:25:37 kali sshd[30716]: Invalid user admin from 196.2.74.56 port 45646 Sep 30 04:25:42 kali sshd[30718]: Invalid user admin from 196.2.74.56 port 45955 Sep 30 04:25:53 kali sshd[30725]: Invalid user operator from 196.2.74.56 port 46649 Sep 30 04:25:58 kali sshd[30728]: Invalid user guest from 196.2.74.56 port 47016 Sep 30 04:26:02 kali sshd[30730]: Invalid user admin from 196.2.74.56 port 47352 Sep 30 04:26:07 kali sshd[30733]: Invalid user fax from 196.2.74.56 port 47737 Sep 30 04:26:14 kali sshd[30735]: Invalid user PlcmSpIp from 196.2.74.56 port 48180 Sep 30 04:26:23 kali sshd[30739]: Invalid user user from 196.2.74.56 port 49006 Sep 30 04:26:28 kali sshd[30743]: Invalid user debian from 196.2.74.56 port 49304 Sep 30 04:26:32 kali sshd[30745]: Invalid user apache from 196.2.74.56 port 49530 Sep 30 04:26:38 kali sshd[30748]: Invalid user admin from 196.2.74.56 port 49797 Sep 30 04:26:49 kali sshd[30752]: Invalid user admin from 196.2.74.56 port 50414 Sep 30 04:26:54 kali sshd[30754]: Invalid user administrator from 196.2.74.56 port 50726 Sep 30 04:26:59 kali sshd[30756]: Invalid user admin from 196.2.74.56 port 50948 Sep 30 04:27:03 kali sshd[30758]: Invalid user test from 196.2.74.56 port 51152 Sep 30 04:27:08 kali sshd[30763]: Invalid user adam from 196.2.74.56 port 51416
Now, as you can see I received multiple attempts from the same IP address. It is my guess that this is some sort of brute force attack where multiple passwords are tried with similar user names. Doing some quick research, the country of origin for this IP Address was South Africa ( which could also be the proxy IP address a hacker is hiding behind).
Next we will use IPTABLES to block the offending IP address. IPTABLES is a application that comes preinstalled on most Linux systems and allows a user to configure tables provided by the Linux kernel firewall.
2. So the following command will block the attacker IP address permanently or until removed.
sudo iptables -A INPUT -s 196.2.74.56 -j REJECT
Since the information on IPTABLES is so vast, I will end this post here.However, IPTABLES is a very useful tool for blocking an unwanted guest with the use of one command line .