Iptables and SSH brute force attempts

From brainsik
Jump to navigation Jump to search

Update: Here's a post about problems with ipt_recent.

Update: There were some spurious issues with this script. Sometimes appeared as though an attack against the machine caused all new connections to be blocked instead of just the offending IP. I could never reliably duplicate the behaviour but evenetually I dropped use of the script because other users were having trouble logging in sometimes. I've moved back to my perl script.

Below is the script I'm trying out mostly snarfed from http://blog.andrew.net.au/2005/02/17.

Latest version is in Codeville at cdv://cdv.theory.org/brainsik/sysop/ipt-ssh-brute-force. 

#! /bin/bash
PATH='/sbin:/usr/bin'

# whitelist local addresses
iptables -N SSH_WHITE
iptables -F SSH_WHITE
for ip in `ifconfig | perl -ne 'print "", (/addr:([\d.]+)/), "\n"'` ; do 
    iptables -A SSH_WHITE -s $ip -m recent --remove --name SSH -j ACCEPT
done

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITE
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix 'SSHbrute '
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
Retrieved from "https://wiki.brainsik.net/index.php?title=Iptables_and_SSH_brute_force_attempts&oldid=422"