June 19, 2005
Server SSH Login Attempt Throttle
As anyone who runs a server may have noted, it can be hit by zillions of SSH login attempts which (not having the password), fail. Here's a script that can temporarily disable logins by IP address based on X number of failed attempts from Y IP address. Note bene: I have not yet tried it.
6 Comments to "Server SSH Login Attempt Throttle"
Have your say ...
If this is your first comment, it will be held for moderation (but comments are appreciated). Otherwise, just be courteous, don't drop links unless highly pertinent — and no substituting keywords for your name. Posters must be 16 or older. We use Akismet, so if you don't see your non-spam comment posted, contact me.
Joao S Veiga says:
Comment posted on 08/23/05 @ 3:41 am
I'm using an easier solution, which simply imposes an interval of 15s between new ssh connections from the same IP. This has shown to be enough to make any brute-force attack practically impossible (I noticed that they simply give up after the first attempt), but reasonable for legitimate connections.
Just add this two rules (in this sequence!) to your firewall rules:
iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –update –seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –set -j ACCEPT
(eth0 is my external interface).
BR,
Joao S Veiga
DianeV says:
Comment posted on 08/23/05 @ 1:28 pm
Interesting, Joao — and welcome! Thanks for sharing your solution. We'll look into it.
Joao S Veiga says:
Comment posted on 08/24/05 @ 12:21 pm
PS:
This assumes you already have
iptables -A INPUT -j ACCEPT -p tcp ! –syn -s (REMOTENET) -d (OUTERNET)
above that on your current firewall rules, to accept established connection packets.
DianeV says:
Comment posted on 08/24/05 @ 12:27 pm
Thanks. Well -grin- that assumes that I know *where* to put this stuff. Could you explain?
Joao S Veiga says:
Comment posted on 09/5/05 @ 9:59 am
OUCH! A hundred apologies! I only now saw your message.
Those are commands to set up rules on a (linux) iptables firewall.
I'm assuming you already have firewall rules set up, and those would be added to your rules (or replace the rules where you allow ssh input, if you have that).
Where to place them depends on your current configuration. I write them directly on a set of startup scripts (which I downloaded ~8 years ago and have been modifying since then).
If you use a firewall configuration front-end (I haven't tried any), you'll have to check how to reproduce the same resulting rules through it.
If you use linux, and have no firewall setup at all, I can put the scripts I use on my web server for you to download. They are easy to use and tweak.
BR,
Joao S Veiga
DianeV says:
Comment posted on 09/5/05 @ 10:16 pm
Nice stuff, and most helpful! And good seeing you again.