Thawing SSH Brute Force Attack
Thursday, October 11th, 2007Problem: These day, one of the hosting server is under constant SSH brute force attack. The simplest way is of course to block off all SSH access and only give access to some fixed IP. However, some of our guys do not have a fixed IP, so I have to use the iptables to fence off the attacks.
Solution: A lot of people has already written on how to use iptables to stop SSH brute force attack. However, I would like to present it one more time, hopefully more complete and clear. This is the steps that I did:
- First, put in the failsafe so that you won’t locked yourself out. Add:
*/10 * * * * /sbin/iptables -F
so that the iptables rules are flushed every 10 minutes. If you locked yourself out, you can get back after 10 minutes. - You can then proceed to add rules using iptables. The commands I use are:
# iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp -m tcp --dport 22 -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
# iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP - Take note that iptables command should be run using the root account.
- Try to login using SSH with 3 failed attempt and you will be locked out of the server.
- Once tested that the rulesets work well, save the rules (I am on CentOS, so I can do “
/etc/init.d/iptables save“) and remove the crontab entry. - Now, some administration stuffs:
- To see what are the IPs banned, do:
# cat /proc/net/ipt_recent/SSH - To clear all the banned IPs do:
# echo 'clear' > /proc/net/ipt_recent/SSH - To add a known bad IP do:
# echo '+xxx.xxx.xxx.xxx' > /proc/net/ipt_recent/SSH - To unban an IP do:
# echo '-xxx.xxx.xxx.xxx' > /proc/net/ipt_recent/SSH
- To see what are the IPs banned, do: