Blocking dictionary attacks on sshd
I've been having an ongoing problem for some time where (I guess) script kiddies are scanning a bunch of users involving a dictionary of users. Initially I wrote a lengthy script that blocked them after the fact, preventing them from trying in the future, which was entirely fruitless looking back. Also if you screwed up your login, you found yourself barred.
I stumbled on a set of rules for iptables the other day that serves my need perfectly, so I thought I'd share it with you all:
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
So basically it watches to see if the same IP address attempts more than 3 connections a minute and adds a rule to drop them, removing the rule when a minute of quiet time has past. Current Mood: happy