This is one of the methods I’ve used in the past to secure a Linux host against brute force ssh attacks. While its not a perfect method, it does a good job of preventing 100s of brute force entries in your syslog.
# Create a new table...
iptables -N SSH_WHITELIST
# On the input chain, mark new packets with the SSH 'tag'
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
# Push new ssh connections through the SSH_WHITELIST table
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
# Limit 4 connections from an ip per 60 seconds, to be more strict, use 300 seconds.
# Log connections that go over this limit and drop the packets.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# Check source IPs, if they match trusted hosts, remove SSH 'tag' and accept the traffic.
iptables -A SSH_WHITELIST -s 10.0.1.1 -m recent --remove --name SSH -j ACCEPT
iptables -A SSH_WHITELIST -s 192.168.88.0/24 -m recent --remove --name SSH -j ACCEPT
Network engineer turned management currently servicing the enterprise data center market. I started working on networks in the ’90s and still feel like that was just a few years ago. Jack of all trades, master of none; I love to learn about everything. Feel free to ask me about photography, woodworking, nhra, watches, or even networking! — For feedback, please leave a comment on the article in question, and I’ll respond as soon as I can. For everything else including fan mail or death threats, contact me via twitter.
