Securing SSH against bruteforce attacks

Tony Mattke · 2009.06.07 · 2 min read

This is one of the methods I’ve used in the past to secure a Linux host against brute force ssh attacks. While its not a perfect method, it does a good job of preventing 100s of brute force entries in your syslog.

bash

# Create a new table...
iptables -N SSH_WHITELIST

# On the input chain, mark new packets with the SSH 'tag'
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

# Push new ssh connections through the SSH_WHITELIST table
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST

# Limit 4 connections from an ip per 60 seconds, to be more strict, use 300 seconds.
# Log connections that go over this limit and drop the packets.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
          --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
          --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

# Check source IPs, if they match trusted hosts, remove SSH 'tag' and accept the traffic.
iptables -A SSH_WHITELIST -s 10.0.1.1 -m recent --remove --name SSH -j ACCEPT
iptables -A SSH_WHITELIST -s 192.168.88.0/24 -m recent --remove --name SSH -j ACCEPT

Securing SSH against bruteforce attacks

Tags :

Related Posts

OSPF Graceful Shutdown

Cisco Systems Awesomesauce aka Full Tilt Boogie

Juniper QFabric, Junosphere, Automation, and More