Block SSH Attacks

Periodically one of my servers gets hit by SSH brute force attacks, and I finally got tired of manually dealing with it.

Previously I would go through the following flow;

  • Get a notification that my server load was increasing
  • Log into the sever
  • Check/confirm that it was the usual issue, by looking at the logs
  • Check where the offending IP address is originating from.
  • Add an iptables rule to block the offending IP address iptables -I INPUT -s <OFFENDING_IP> -j DROP
  • Watch as the load returned to normal

So after a little research, with the goal of not wanting anything fancy or crazy to install and/or setup. I decided to go with a few more iptable rules to try and mitigate the issue, as per Rainer Wichmann. It is an old posting, but looks exactly like the kind of rules I’m looking for;

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set \
--name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 \
--rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 \
--rttl --name SSH -j DROP

There is also a whitelisting option, but seeing that I have a dynamic IP address, I didn’t see that as being exactly helpful.


228 Words

2014-02-28 19:00 -0500