06/19/2005

Server SSH Login Attempt Throttle

As anyone who runs a server may have noted, it can be hit by zillions of SSH login attempts which (not having the password), fail. Here's a script that can temporarily disable logins by IP address based on X number of failed attempts from Y IP address. Note bene: I have not yet tried it.

7 Comments to "Server SSH Login Attempt Throttle"

  1. Joao S Veiga says:

    I'm using an easier solution, which simply imposes an interval of 15s between new ssh connections from the same IP. This has shown to be enough to make any brute-force attack practically impossible (I noticed that they simply give up after the first attempt), but reasonable for legitimate connections.

    Just add this two rules (in this sequence!) to your firewall rules:

    iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –update –seconds 15 -j DROP

    iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –set -j ACCEPT

    (eth0 is my external interface).

    BR,

    Joao S Veiga

  2. DianeV says:

    Interesting, Joao — and welcome! Thanks for sharing your solution. We'll look into it.

  3. Joao S Veiga says:

    PS:
    This assumes you already have
    iptables -A INPUT -j ACCEPT -p tcp ! –syn -s (REMOTENET) -d (OUTERNET)
    above that on your current firewall rules, to accept established connection packets.

  4. DianeV says:

    Thanks. Well -grin- that assumes that I know *where* to put this stuff. Could you explain?

  5. Joao S Veiga says:

    OUCH! A hundred apologies! I only now saw your message.

    Those are commands to set up rules on a (linux) iptables firewall.

    I'm assuming you already have firewall rules set up, and those would be added to your rules (or replace the rules where you allow ssh input, if you have that).

    Where to place them depends on your current configuration. I write them directly on a set of startup scripts (which I downloaded ~8 years ago and have been modifying since then).

    If you use a firewall configuration front-end (I haven't tried any), you'll have to check how to reproduce the same resulting rules through it.

    If you use linux, and have no firewall setup at all, I can put the scripts I use on my web server for you to download. They are easy to use and tweak.

    BR,

    Joao S Veiga

  6. DianeV says:

    Nice stuff, and most helpful! And good seeing you again.

  7. Leho Kraav (@lkraav) says:

    Joao's advice on using iptables -m recent is excellent stuff at first sight. I just put in the rules after another loser tried to brute-force my server, let's see how well this actually works.

    For myself and collaborators doing their regular workflows with ssh logins and git operations, I highly doubt this 15s forced pause between multiple connections is going to be an issue.

Have your say ...

First-time comments will be held for moderation (but comments are appreciated). Otherwise, just be courteous. If your name is a bunch of keywords, your comment will be deleted. Don't post links unless highly pertinent. Posters must be 16 or older.

Manage your subscriptions

Archives
© 2004-2017 DianeV Web Design Studio. All Rights Reserved.
34 queries. 0.229 seconds.