[nSLUG] limitting ssh brute force attempts with iptables

Stephen Gregory nslug at kernelpanic.ca
Mon Jun 5 16:16:27 ADT 2006

SSH brute force attempts are annoying. There is a simple way to limit
these attempts using iptables and the recent module.

modprobe ipt_recent

iptables -A INPUT --proto tcp --dport 22 -m state --state NEW \
	 -m recent --set

iptables -A INPUT --proto tcp --dport 22 -m state --state NEW \
	 -m recent --update --seconds 60 --hitcount 6 \
	 -j DROP

iptables -A INPUT --proto tcp --dport 22 -m state --state NEW \

You may want to add the -i option to limit the rule to external
interfaces. Ofcourse you can also add the rule to any chain. Often
preconfigured firewalls will have specific chains for extra user
rules. In my case the ssh server is behind the firewall so I use the
FORWARD chain and the option "-i $external_interface."

The algorithm used for --seconds and --hitcount is weak. In my testing
blocks happen after 5, 6, or 7 packets. I chose 6 packets in 60
seconds based on my log files which showed a brute force attempt every
5 seconds or so.

These rules assume there is another rule that allows --state

If you use this technique for more then one port/service you should
use the --name option. The recent tables only stores ip addresses. The
default is source addr.

There are dangers with these rules. An attacker could run a denial of
service attack against the protected port if they knew a source ip
address commonly used to access the server. The attacker would only
need to send 1 spoofed packet every 9 seconds to block ssh access.

There also dosen't seem to be any aging or automatic flushing of
records in the recent tables. This may be a problem on firewalls that
handle heavy traffic, as the ram will slowly fill up with "recent" hits.



More information about the nSLUG mailing list