Random and Irrelevant » iptables http://sgp.me.uk Sam Pearson's weblog - irrelevant content randomly updated Fri, 18 Nov 2011 18:06:51 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Brute force ssh password attacks http://sgp.me.uk/2005/08/25/ssh-attacks/ http://sgp.me.uk/2005/08/25/ssh-attacks/#comments Thu, 25 Aug 2005 10:48:56 +0000 Sam http://sgp.me.uk/2005/08/25/ssh-attacks SSH server at home to the internet yesterday - less than 24 hours ago - there have been 2883 failed attempts to log in from two ip addresses... Continue reading ]]> Since opening my SSH server at home to the internet yesterday – less than 24 hours ago – there have been 2883 failed attempts to log in from two ip addresses: 209.183.190.11 and 59.120.13.130. That makes me nervous, even though I’m reasonably confident that it’s secure due to password authentication being turned off and the following two handy iptables rules in force:

iptables -A INPUT -p tcp -m state --state NEW --dport 22 \
 -m recent --update --seconds 15 -j DROP 

iptables -A INPUT -p tcp -m state --state NEW --dport 22 \
 -m recent --set -j ACCEPT

I got this idea from a post to alt.os.linux.slackware. These rules use the recent extension to iptables to track attempted SSH connections and drop any that come from the same IP within 15 seconds. If you miss-type your passphrase, you just have to remember to hang back for a few seconds before retrying to avoid getting caught out. You could jump to a custom chain that logged such connections before dropping them if you felt the need to monitor the effectiveness of the rule – although the scripts usually just stop trying after a few connection attempts are dropped.

]]> http://sgp.me.uk/2005/08/25/ssh-attacks/feed/ 0