Automatically blocking failed ssh attempts

If you run an ssh server (sshd) and you're connected to the Net on a public IP then you'll likely be seeing a serious amount of wanna-bee hax0rs trying your box. Pain in the ass. Fortunately there's a few tactics that can be deployed. There's a good article here that covers it. Plus there's a good 'stickied' discussion from a good list of security issues on LinuxQuestions.org. Basically as far as I was concerned two options seem to be the best:

• Run fail2ban


• Or install some natty firewall rules (cribbed from above article) written by this guy:

(1) Create a custom chain for whitelisting first:


iptables -N SSH_WHITELIST




(2) Whitelist any host(s) that you like:




iptables -A SSH_WHITELIST -s TRUSTED_HOST_IP -m recent --remove --name SSH \
-j ACCEPT




(3) Add the blocking rules:




iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set \
--name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
--seconds 60 --hitcount 4 --rttl --name SSH -j DROP

• Advantage: Transparent for users
• Disadvantages:
  • Does not distinguish between successful logins and unsuccessful login attempts (i.e. three successful logins within one minute will trigger just like three unsuccessful login attempts).