Thread: iptables block attemtps

its been suggested use following not wure first line does:


alternately may learn use iptables. iptables has several additional features including ability black list ip address after failed attempts.

code:

sudo iptables -a input -p tcp --dport 22 -m state --state new -m recent --set --name ssh --rsource -j accept  sudo iptables -a input -m recent --update --seconds 600 --hitcount 8 --rttl --name ssh --rsource -j drop

"--hit count" number of new connections. keep in mind each new connection gives multiple opportunities enter password. if use scp, use higher hitcount each file new ssh session.

"--seconds" how long ipaddress blacklisted. 10 minutes sufficient deter "script kiddies".

for many many years now, have used similar method deal ssh attacks. within last couple of months, on other ubuntu forums thread, saw method posted. not understand it, although didn't test it. here do:

code:

# secure shell on port 22. # # dynamic badguy list. detect , drop bad ips password attacks on ssh. # once on badguy list drop packets them. $iptables -a input -i $extif -m recent --update --hitcount 3 --seconds 5400 --name badguy_ssh -j log --log-prefix "ssh bad:" --log-level info $iptables -a input -i $extif -m recent --update --hitcount 3 --seconds 5400 --name badguy_ssh -j drop $iptables -a input -i $extif -p tcp -m tcp --dport 22 -m recent --set --name badguy_ssh -j accept

notice how have drop rule first, if there have alreay been "hitcount" attempts. only, ssh packet accepted, , hitcount bumped. use longer block time because have had occurences 10 minutes not enough.

"established, related" bypass of these rules earlier in rules input chain.

Forum The Ubuntu Forum Community Ubuntu Specialised Support Security [ubuntu] iptables block attemtps

Ubuntu