This is one of the methods I’ve used in the past to secure a Linux host against brute force ssh attacks. While its not a perfect method, it does a good job of preventing 100s of brute force entries in your syslog.
<pre>
# Create a new table...
iptables -N SSH_WHITELIST
# On the input chain, mark new packets with the SSH 'tag'
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
# Push new ssh connections through the SSH_WHITELIST table
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
# Limit 4 connections from an ip per 60 seconds, to be more strict, use 300 seconds.
# Log connections that go over this limit and drop the packets.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# Check source IPs, if they match trusted hosts, remove SSH 'tag' and accept the traffic.
iptables -A SSH_WHITELIST -s 10.0.1.1 -m recent --remove --name SSH -j ACCEPT
iptables -A SSH_WHITELIST -s 192.168.88.0/24 -m recent --remove --name SSH -j ACCEPT
</pre>
# Create a new table...
iptables -N SSH_WHITELIST
# On the input chain, mark new packets with the SSH 'tag'
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
# Push new ssh connections through the SSH_WHITELIST table
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
# Limit 4 connections from an ip per 60 seconds, to be more strict, use 300 seconds.
# Log connections that go over this limit and drop the packets.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# Check source IPs, if they match trusted hosts, remove SSH 'tag' and accept the traffic.
iptables -A SSH_WHITELIST -s 10.0.1.1 -m recent --remove --name SSH -j ACCEPT
iptables -A SSH_WHITELIST -s 192.168.88.0/24 -m recent --remove --name SSH -j ACCEPT
</pre>
Who writes this crap?
Tony Mattke is a network engineer for a financial institution in Indiana. In the past he has worked for ISPs, data centers, networking manufactures, and the occasional enterprise. For feedback, please leave a comment on the article in question. For everything else including fan mail or death threats, contact him via twitter.
No related posts.
{ 3 comments… read them below or add one }
Do the entries stay in there forever or are they purged at one point?
@Justin Wilson
Well, thats the thing about iptables, there is no way to save the entries, so they’re only blocked for the timer amount… But that’s usually enough to stop the attack and they’ll move on elsewhere to an easier target. I tested another method, but never got it perfected.. I may work on it some more and post a follow up..
If you keep giving away all your secrets and I won’t have to hire you for consulting work anymore! But seriously, everyone here loves your work. Not only do you help us out, but you educate us as we progress and move forward.