On Fri, 2007-09-14 at 07:43 +0200, Gregory Machin wrote: > > If you must leave ssh open to the outside world, use a simple iptables > > ruleset to limit attempts: > > > > # This rejects ssh attempts more than twice in 180 seconds... > > # First, mark attempts as part of the "sshattack" group... > > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set > > # Optional: Include this line if you want to log these attacks... > > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck > > --seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: " > > # Finally, reject the connection if more than one attempt is made in 180 > > seconds... > > -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck > > --seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset > > > > If more than one ssh attempt is made in 180 seconds (three minutes) > > from a given IP address, this blocks that IP address for that duration. > > You get one try. If you fail, you must wait 3 minutes before you can > > try again. > > > > Note that even a successful login is counted. If you log in and > > immediately log out, you still have to wait 3 minutes to get in again. > > > > Change the "--hitcount 2" bits to "--hitcount 3" if you want to give > > yourself two tries to get in. You can also change the "--seconds 180" > > to "--seconds 300" to make the delay 5 minutes. The values I give above > > are enough to discourage most script kiddie attempts to get into your > > box. > > Hi > Sorry to hijack this tread. The above should it be before, or after > you allow the ssh port ? Before. You want packets NOT rejected by that bit to fall through to other rules for further processing. ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Change is inevitable, except from a vending machine. - ----------------------------------------------------------------------