SSH brute force attempts can be annoying. A friend shard this with me and I like it.Try adding the following to iptables:
:ALLOWED - [0:0] # (IP you want to white list) -A INPUT -s #.#.#.# -p tcp -m tcp --dport 22 -j ACCEPT # all other ssh traffic must go through a rate limiting filter -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ALLOWED # rate limit filter that only permits 3 new connections per minute -A ALLOWED -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A ALLOWED -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 3/min --limit-burst 3 -j ACCEPT -A ALLOWED -p tcp -j LOG --log-prefix " DROP RATE_LIMIT " --log-tcp-options --log-ip-options -A ALLOWED -p tcp -j REJECT --reject-with icmp-port-unreachable You could also just run ssh on a different port, but doesn't work for everyone. Limiting the number of new connections seems to work well. I still see a few connections per minute, but it's not in the thousands, and eventually the bot gives up and moves on. On 11/9/06, Brian Friday <[email protected]> wrote:
Hi all, Just came across this in my random wanderings while things were compiling. http://www.digitalgenesis.com/software/phrel/article.php Tested this with a SSH server that we have that constantly gets brute force attacks and it worked like a charm. Brian Friday Infrastructure Manager Information Technology La Sierra University Riverside, CA 92515 Tel: (951) 785-2900 Fax: (951) 785-2908 [email protected] _______________________________________________ 909linux mailing list [email protected] http://909linux.org/cgi-bin/mailman/listinfo/909linux
