A simple Python script that monitors SSH login attempts. After detecting 3 invalid attempts from the same IP address, the script reports the IP to AbuseIPDB, blocks it using ipset, and sends a notification via a Telegram Bot.
- Monitors SSH login attempts from the auth.log file.
- Detects multiple failed login attempts from the same IP address.
- Blocks IPs using
ipsetandiptables. - Reports the IP to AbuseIPDB.
- Sends notifications via a Telegram Bot.
- Python 3.x
- Dependencies:
requestsjsonresubprocesstimedotenv
- System Tools:
ipsetiptables
-
Install Python: Ensure you have Python 3.x installed. You can check your Python version using:
python3 --version
-
Install Dependencies: Install the required Python packages using pip:
pip install requests python-dotenv
-
Install System Tools: Ensure
ipsetandiptablesare installed on your system. You can install them using:sudo apt update sudo apt install ipset iptables
-
Set Up Telegram Bot:
- Create a Telegram Bot using BotFather and obtain the API token.
- Obtain your chat ID.
-
Set Up AbuseIPDB:
- Sign up at AbuseIPDB and obtain your API key.
-
Create a
.envFile: In the directory where your script is located, create a.envfile and add the following configurations:TELEGRAM_TOKEN=your_telegram_token_here CHAT_ID=your_chat_id_here ABUSEIPDB_API_KEY=your_abuseipdb_api_key_here LOG_FILE=/var/log/auth.log FAILED_ATTEMPTS_FILE=failed_attempts.json MAX_FAILED_ATTEMPTS=3 IPSET_NAME=ssh_block_list BLOCK_TIMEOUT=2147483 MAX_REPORTS_PER_MINUTE=10
-
Hostname Mapping: You can customize the hostnames by modifying the
HOSTNAME_MAPdictionary directly in the script:HOSTNAME_MAP = { 'hostname': "custom hostname", 'addmore': "custom hostnames", }
-
Ensure the script has execute permissions:
chmod +x FoxyLogs.py
-
Run the script:
sudo python3 FoxyLogs.py