While working on a test system running the CentOS 7 operating system, I noticed
a lot of break-in attempts via Secure Shell (SSH) from various IP addresses.
I saw the attempts to gain unauthorized access to the system when I issued the
command journalctl -xe from the root account. The output
of the journalctl command contained entries like the following:
Oct 23 22:27:42 moonpoint sshd[7312]: Failed password for root from 189.85.145.113 port 50222 ssh2
To list the IP addresses involved, I issued the command journalctl -xe |
grep 'Failed password for root' to see just the entries logged with
"Failed password for root" which I piped to the
cut command to eliminate
all but the IP addresses from the line. I used two cut commands, the first
using the colon character as the delimter on the line, eliminating everything
but the characters that occurred after the last colon on the line, and the
second using a space as the delimiter and outputting only the IP address.
I then piped the output from the cut command into the
sort command to sort
the output by IP address and then used the -c option with
the uniq command to count
the number of occurences of entries for each IP address. I saw the following
output:
# journalctl -xe | grep 'Failed password for root' | cut --delimiter=: --fields=4 | cut -d ' ' -f 7 | sort | uniq -c
6 107.189.31.223
3 114.242.143.121
7 122.11.148.38
1 136.144.41.253
7 161.35.23.213
22 189.85.145.113
7 205.185.122.239
7 205.185.123.33
18 221.131.165.65
4 49.88.112.69
4 65.21.50.45
15 81.68.131.237
#So I decided to install the
Fail2Ban program to
automatically block password attempts from particular IP addresses that have
numerous failed logins via SSH in a short amount of time. I first checked if
fail2ban was already installed with rpm -qi fail2ban, but found it
wasn't installed, so I installed it with yum install fail2ban.
I then configured and enabled Fail2Ban per the steps at
Using fail2ban on a CentOS 7
system.