Add these rules to protect yourself againsed the SSH brute force attack.
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
iptables -N SSH_WHITELIST
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSH_WHITELIST
iptables -A SSH_WHITELIST -s $TRUSTED_HOST -m recent –remove –name SSH -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –rttl –name SSH -j ULOG –ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –rttl –name SSH -j DROP
Re: SSH Brute Force Attack IPTABLES Rules |
#!/bin/bash TRUSTED_HOST1=10.0.0.0/8 IPTABLES=/sbin/iptables $IPTABLES -F $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH $IPTABLES -N SSH_WHITELIST $IPTABLES -N SSH_BF $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST for I in 10.0.0.0/8 65.209.7.97/27; do $IPTABLES -A SSH_WHITELIST -s $I -m recent --remove --name SSH -j ACCEPT done #$IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force #$IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP $IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSH --set --rsource -j SSH_BF $IPTABLES -A SSH_BF -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN $IPTABLES -A SSH_BF -j LOG --log-prefix "SSH Brute Force Attempt: " $IPTABLES -A SSH_BF -p tcp -j DROP |
Re: SSH Brute Force Attack IPTABLES Rules |
http://www.opensubscriber.com/message/netfilter@lists.netfilter.org/1609886.html |
Re: SSH Brute Force Attack IPTABLES Rules |
#!/bin/bash echo “Adding SSH Brute Force Firewall Rules” iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH |