Block lame bruteforce SSH attempts -
I don't know about everyone else, but I'm sick of seeing thousands of attempts by people to bruteforce SSH on my servers. Recently I came accross some handy netfilter rules which allow you to block IP addresses from connecting to SSH after too many new connections in a set time period.
These rules will block packets after more than 4 new connections within 60 seconds:
The beauty of it is that it won't break established connections, so you can't lock out your current connection if you already have a session open.
Make sure that your kernel has the ipt_recent module compiled in or available as a module.
-Jonesy
I don't know about everyone else, but I'm sick of seeing thousands of attempts by people to bruteforce SSH on my servers. Recently I came accross some handy netfilter rules which allow you to block IP addresses from connecting to SSH after too many new connections in a set time period.
These rules will block packets after more than 4 new connections within 60 seconds:
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j LOG --log-prefix "SSH_brute_force"
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j DROP
The beauty of it is that it won't break established connections, so you can't lock out your current connection if you already have a session open.
Make sure that your kernel has the ipt_recent module compiled in or available as a module.
-Jonesy