[sclug] SSHD
Bob Dunlop
bob.dunlop at xyzzy.org.uk
Tue Jan 30 11:53:25 UTC 2007
On Tue, Jan 30 at 11:27, David Newcomb wrote:
>
> Hi All,
>
> I am getting a lot of brute force attacks on one of my linux
> internet servers. Is there a way I can make the client wait
> 60 seconds before allowing them to try and login again?
>
> Anything like this available?
iptables :-)
This won't be a drop in for your config but I guess you can adapt.
# Allow ssh access
# Whitelist of machines we like
iptables -N SSH-WHITE
iptables -A SSH-WHITE -s 1.2.3.4 -m recent --remove --name SSH -j ACCEPT
iptables -A SSH-WHITE -s 5.6.7.8 -m recent --remove --name SSH -j ACCEPT
iptables -A SSH-WHITE -s 9.1.2.3 -m recent --remove --name SSH -j ACCEPT
# Rate limit anyone not on the whitelist to 3 attempts per minute
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set \
--name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH-WHITE
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix "SSH brute"
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j DROP
# If they make it throught the rate filter let them try
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
--
Bob Dunlop
More information about the Sclug
mailing list