Slowing Probes on SSH Servers

Every admin has seen it on a public facing machine permitting ssh access, countless probes filling logs with attempts to gain access to the machine by brute forcing passwords or attempts to use stolen keys.

There are many ways to combat this, each with advantages and disadvantages. Since my hosts all permit access only with keys, password guessing isn’t going to happen. But that still fills logs and leaves the machine open to swarms of bots all trying to gain access. Below are rules for iptables that uses ip connection tracking to ban them after 3 connection attempts in 30 seconds.


*filter
:INPUT ACCEPT [80961:118995606]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44434:2330325]
:LOGDROP - [0:0]
-A INPUT -s 10.0.0.10 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOGDROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 2592000 --hitcount 4 --rttl --name SSH --rsource -j LOGDROP
-A LOGDROP -j LOG --log-prefix "DROPPING "
-A LOGDROP -j DROP
COMMIT

Insert any whitelisted addresses you like in place of 10.0.0.10. Notice that the 4th attempt blacklists an IP for a month. Obviously, that can be less salty for your own tastes.