Auto add ssh failed login (which over many times) to hosts.deny
For demo purpose, I may expose my ssh port 22 to public world. Even I have limited only one user with 2FA. Its still have a lots robort attempt to login, here is a script to add failed login hosts (my example is over 50 times) to deny file. ### [root@rhel9beta ~]# cat check_sshd_fail.sh #!/bin/bash grep "Failed password" /var/log/secure* | awk '{print $(NF-3)}' | sort -n | uniq -c |sort -nr | awk '{if ($1 >=50) print "sshd: " $2}' > /etc/hosts.deny ### It can easy add a cron job to run the script regularly.