This is one of the methods I’ve used in the past to secure a Linux host against brute force ssh attacks. While its not a perfect method, it does a good job of preventing 100s of brute force entries in your syslog.
# Create a new table... iptables -N SSH_WHITELIST # On the input chain, mark new packets with the SSH 'tag' iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH # Push new ssh connections through the SSH_WHITELIST table iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST # Limit 4 connections from an ip per 60 seconds, to be more strict, use 300 seconds. # Log connections that go over this limit and drop the packets. iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \ --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \ --seconds 60 --hitcount 4 --rttl --name SSH -j DROP # Check source IPs, if they match trusted hosts, remove SSH 'tag' and accept the traffic. iptables -A SSH_WHITELIST -s 10.0.1.1 -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s 192.168.88.0/24 -m recent --remove --name SSH -j ACCEPT
Network engineer turned management currently servicing the enterprise data center market. I started working on networks in the ’90s and still feel like that was just a few years ago. Jack of all trades, master of none; I love to learn about everything. Feel free to ask me about photography, woodworking, nhra, watches, or even networking! — For feedback, please leave a comment on the article in question, and I’ll respond as soon as I can. For everything else including fan mail or death threats, contact me via twitter.