Wednesday, 13 August 2008

Automatically blocking failed ssh attempts

If you run an ssh server (sshd) and you're connected to the Net on a public IP then you'll likely be seeing a serious amount of wanna-bee hax0rs trying your box. Pain in the ass. Fortunately there's a few tactics that can be deployed. There's a good article here that covers it. Plus there's a good 'stickied' discussion from a good list of security issues on Basically as far as I was concerned two options seem to be the best:
  • Run fail2ban

  • Or install some natty firewall rules (cribbed from above article) written by this guy:

  • (1) Create a custom chain for whitelisting first:
    iptables -N SSH_WHITELIST

    (2) Whitelist any host(s) that you like:

    iptables -A SSH_WHITELIST -s TRUSTED_HOST_IP -m recent --remove --name SSH \
    -j ACCEPT

    (3) Add the blocking rules:

    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set \
    --name SSH
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
    --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update \
    --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
  • Advantage: Transparent for users
  • Disadvantages:
    • Does not distinguish between successful logins and unsuccessful login attempts (i.e. three successful logins within one minute will trigger just like three unsuccessful login attempts).

No comments:

Post a Comment