> If you must leave ssh open to the outside world, use a simple iptables > ruleset to limit attempts: > > # This rejects ssh attempts more than twice in 180 seconds... > # First, mark attempts as part of the "sshattack" group... > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set > # Optional: Include this line if you want to log these attacks... > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck > --seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: " > # Finally, reject the connection if more than one attempt is made in 180 > seconds... > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck > --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset > > If more than one ssh attempt is made in 180 seconds (three minutes) > from a given IP address, this blocks that IP address for that duration. > You get one try. If you fail, you must wait 3 minutes before you can > try again. > > Note that even a successful login is counted. If you log in and > immediately log out, you still have to wait 3 minutes to get in again. > > Change the "--hitcount 2" bits to "--hitcount 3" if you want to give > yourself two tries to get in. You can also change the "--seconds 180" > to "--seconds 300" to make the delay 5 minutes. The values I give above > are enough to discourage most script kiddie attempts to get into your > box. Hi Sorry to hijack this tread. The above should it be before, or after you allow the ssh port ? Thanks G
