Prevent SSH attacks

Question

I'm trying to setup iptables rules to only allow 3 attempts by an IP per minute to connect to the servir via SSH, and drop all the connections after to prevent SSH attacks; but it seems i'm doing something wrong!

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

Thanks

Answer 1

I think you better have to use fail2ban, because your ipfilter rules also block legitimate connections. fail2ban will only block IPs after failed connections.

Next, a common practice is to ban IPs when they try to connect to port 22, and bind your ssh server to another port. You then face only a couple illegitimate connection per week if your computer is not a well known target.

For the precise question you asked :

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

Answer 2

You can implement what you want with the following 2 rules

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP

Note that using -Awhich adds rules to the end of the chain can fall foul of the way that iptables rules are processed i.e. in order so if there is a general DROP or an allow rule before yours is reached than they will never be acted on.

Having said that you may also find fail2ban is a better way of implementing this kind of block.

Answer 3

You might want to try the LIMIT module.

iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute -j ACCEPT