From: "Will Partain" <will.partain@xxxxxxxxxxx>
"jdow" <jdow@xxxxxxxxxxxxx> writes:
I have found, however, that a simple three line iptables addition seems
to work like a champ, except for filling up the log.
===8<---
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
$iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset
===8<---
This is indeed a lovely approach, but has a drawback: it can't tell
the difference between many legit SSH connections and many bogus ones.
For example, if you are getting at a Subversion repository with
'svn+ssh://host/repo-stuff', then whole bunches of ssh connections
will be made in rapid succession. You can always up the hitcount, but
that's just a method waiting to fail (e.g. what if SVN does something
unexpected that needs _lots_ of ssh connections).
Of course you must assess your particular needs and determine if limiting
connections this way is appropriate. I'm not sure at the moment whether
the tracking and blocking is per IP or not. If it is per IP address then
it's easy enough to drop the time out to something reasonable for a SVN
transaction but longer than no time at all. It would at least slow people
down until you can block their IP completely.
{^_^}