To stop brute force attacks on my server (OS is CentOS 6) I want to
- block for 1 minute everyone who makes more than 4 login attempts during last minute
- block for 1 day everyone who makes more than 100 login attempts during last day
When I add iptables rules for item (1)
#--- SSH brutforce atack prevention ------------------------------
# Create SSH attack chains
-N SSH_CHECK
-N SSH_ATTACKED
# Capture SSH connections
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_CHECK
# Define SSH_CHECK chain
-A SSH_CHECK -m recent --set --name SSH
-A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j SSH_ATTACKED
-A SSH_CHECK -j ACCEPT
# Define SSH_ATTACKED chain
-A SSH_ATTACKED -j LOG --log-prefix "SSH anti-brutforce: " --log-level 1
-A SSH_ATTACKED -j REJECT --reject-with icmp-host-prohibited
#----------------------------------------------------------------
iptables accepts it and works as expected. But when I try to add rules for item (2) above:
#--- SSH brutforce atack prevention ------------------------------
# Create SSH attack chains
-N SSH_CHECK
-N SSH_ATTACKED
# Capture SSH connections
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_CHECK
# Define SSH_CHECK chain
-A SSH_CHECK -m recent --set --name SSH
-A SSH_CHECK -m recent --set --name SSH2
-A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j SSH_ATTACKED
# Next line causes an error
-A SSH_CHECK -m recent --update --seconds 86400 --hitcount 100 --rttl --name SSH2 -j SSH_ATTACKED
-A SSH_CHECK -j ACCEPT
# Define SSH_ATTACKED chain
-A SSH_ATTACKED -j LOG --log-prefix "SSH anti-brutforce: " --log-level 1
-A SSH_ATTACKED -j REJECT --reject-with icmp-host-prohibited
#-----------------------------------------------------------------
it causes an error. I have made some experiments and it seems that it refuses to add two rules with --hitcount option to SSH_CHECK chain.
What am I doing wrong? Below is my current /etc/sysconfig/iptables file.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#--- SSH brutforce atack prevention ------------------------------
# Create SSH attack chains
-N SSH_CHECK
-N SSH_ATTACKED
# Capture SSH connections
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_CHECK
# Define SSH_CHECK chain
-A SSH_CHECK -m recent --set --name SSH
-A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j SSH_ATTACKED
-A SSH_CHECK -j ACCEPT
# Define SSH_ATTACKED chain
-A SSH_ATTACKED -j LOG --log-prefix "SSH anti-brutforce: " --log-level 1
-A SSH_ATTACKED -j REJECT --reject-with icmp-host-prohibited
#-----------------------------------------------------------------
# NTP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j LOG
COMMIT
Edit:
I've been asked about error messages. It just doesn't say anything that could help (IMHO).
iptables-restore /etc/sysconfig/iptables
says
iptables-restore: line ## failed
where ## is number of last line in /etc/sysconfig/iptables
iptables -I SSH_CHECK 3 -m recent --update --seconds 86400 --hitcount 100 --rttl --name SSH2 -j SSH_ATTACKED
says
iptables: Invalid argument. Run `dmesg' for more information.
dmesg contains nothing about it