Blocking IP addresses from failed SSH attempts in Linux Operating System

In this article, we will learn about finding the failed SSH attempts and blocking those IP addresses. To find failed attempts, we will use grep as well as cat commands. The login attempts to the SSH Server are tracked and recorded into the rsyslog daemon.


Besides having a Terminal open, we need to remember a few concepts:

  • Basic knowledge of the grep and cat commands
  • Ensure that grep is installed

How to do it

We will find the failed SSH login attempts using the grep and cat commands. First, be a root user. Type the sudo su command. Next, run the following command to fetch the failed attempts using the grep command:

# grep "Failed password" /var/log/auth.log

You can do this using the cat command also. Run the following command:

# cat /var/log/auth.log | grep "Failed password"

You can block the particular IP address that has failed SSH login attempt using tcp-wrapper. Navigate to the /etc directory. Look for the hosts.deny file, add the following line in the file, and save the file:


How it works

In this, we used the cat and grep commands. The most common use of the cat command is to display the contents of a file, and grep is a Linux utility used for searching a file for a particular pattern; then, it will display the lines that will have the particular pattern.

In the previous examples, we were searching for a failed login attempt. We are matching such key words using the grep command and then we are displaying it using the cat command.

To block an IP address, we just added a single line into the hosts.deny file, which will block that particular IP address.


Submit a Comment

Your email address will not be published. Required fields are marked *

5 × one =

Related Articles