Securing SSH against bruteforce attacks
- Tony Mattke
- Security
- June 7, 2009
- 2 min read
This is one of the methods I’ve used in the past to secure a Linux host against brute force ssh attacks. While its not a perfect method, it does a good job of preventing 100s of brute force entries in your syslog.
bash
# Create a new table...
iptables -N SSH_WHITELIST
# On the input chain, mark new packets with the SSH 'tag'
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
# Push new ssh connections through the SSH_WHITELIST table
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
# Limit 4 connections from an ip per 60 seconds, to be more strict, use 300 seconds.
# Log connections that go over this limit and drop the packets.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# Check source IPs, if they match trusted hosts, remove SSH 'tag' and accept the traffic.
iptables -A SSH_WHITELIST -s 10.0.1.1 -m recent --remove --name SSH -j ACCEPT
iptables -A SSH_WHITELIST -s 192.168.88.0/24 -m recent --remove --name SSH -j ACCEPT
