Linux - Security - Enforce SSH Failed Login Firewall Rules

What the SSH Firewall Blocker does

This Automox Worklet™ creates firewall rules to block IP addresses that have made failed SSH login attempts. The Worklet parses SSH authentication logs (/var/log/secure, /var/log/auth.log, or journalctl output) to identify malicious IP addresses and adds them to firewall block rules.

The Worklet provides three configurable blocking mechanisms: blocking IPs that attempted logins with invalid usernames more than five times, blocking IPs with multiple failed password or key authentications, and rate-limiting new SSH connections based on your MaxAuthTries setting.

For iptables systems, the Worklet creates rules in a custom chain named AX_FailedLogins. For firewalld systems, it creates a custom zone and uses ipsets to manage the blocked IP addresses efficiently.

Why block failed SSH login sources

SSH brute force botnets probe internet-facing servers continuously, attempting thousands of authentication attempts per hour. Attackers use credential stuffing with leaked password databases, dictionary attacks against common usernames, and systematic enumeration of valid account names. While MaxAuthTries limits attempts per connection, attackers simply open new connections from the same source, bypassing per-connection rate limits.

Firewall-level blocking stops malicious traffic before it consumes SSH daemon resources. When iptables or firewalld drop packets from attacking IPs, the SSH service never processes the connection attempt, preventing CPU exhaustion, log file bloat, and connection table saturation that can impact legitimate user access.

The Worklet optionally excludes RFC 1918 private IP ranges to prevent blocking internal users experiencing legitimate authentication issues. This protects against operational disruption while maintaining security against external threats.

How SSH firewall blocking works

1. Evaluation phase: The Worklet identifies whether iptables or firewalld is in use. It checks if the AX_FailedLogins chain or zone exists and whether the current rules match the log analysis. If firewall rules are missing or outdated compared to the authentication log, the endpoint is flagged for remediation.

2. Remediation phase: The Worklet parses SSH logs to extract IP addresses with invalid username attempts, failed authentications, or MaxAuthTries violations. It creates DROP rules in iptables or adds IPs to firewalld ipsets. It also configures rate limiting rules based on your SSH MaxAuthTries setting to block IPs that make too many connection attempts within 60 seconds.

SSH firewall blocking requirements

• Linux endpoint with iptables or firewalld firewall

• SSH authentication logs available at /var/log/secure, /var/log/auth.log, or through journalctl

• Root or sudo privileges for firewall configuration

• Recommended: Run on-demand via FixNow rather than as a scheduled policy

• Optional: Set exclude_private_ips=true to prevent blocking internal IP ranges

Expected firewall state after blocking

After successful remediation, the firewall actively blocks IP addresses that triggered failed authentication events. For iptables systems, run iptables -L AX_FailedLogins -n -v to view blocked IPs and packet drop counts. For firewalld systems, the AX_FailedLogins zone contains ipsets managed through firewall-cmd --zone=AX_FailedLogins --list-sources.

Connection attempts from blocked IPs fail immediately at the network layer without consuming SSH daemon resources. Rate limiting rules restrict any single IP to your configured MaxAuthTries within 60-second windows, preventing circumvention through rapid reconnection. The Automox Activity Log documents how many IP addresses were blocked and which authentication patterns triggered the rules.

How to validate enforce ssh failed login firewall rules changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for enforce ssh failed login firewall rules.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as function, elif, else.

4. Validate remediation effects from script operations such as function, elif, else, then rerun evaluation for compliance.