Attempts at "brute force" logins over SSH have become quite common. An attacker runs scripts that attempt repeated logins with common usernames and passwords in the hope of getting lucky. Clearly, if such attacks go on over a long period of time, they might eventually be successful. One strategy to avoid this is simply to create firewall rules that allow incoming SSH connections only from particular IP numbers. But if this is difficult or inconvenient, you can use another feature of the iptables to stop such brute force attacks. iptables has the ability to remember how many attempts have been made to a given port from a particular IP address in a certain period of time and refuse further connections if the number of attempts is too great.
The following two rules allow a maximum of four incoming SSH connections on eth1 in a period of 10 minutes, and then drop further connections until the end of that time. This is a very effective counter to brute force connection attempts.
iptables -A INPUT -i eth1 -p tcp -dport 22 -m state --state NEW
-m recent --set --name SSH iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW
-m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
In this example, -m recent --set --name SSH creates an internal list of IP addresses that have attempted to make the connection. That list is used to block future connections within the specified period.
Was this article helpful?