{"id":4199,"date":"2015-02-06T16:30:50","date_gmt":"2015-02-06T08:30:50","guid":{"rendered":"http:\/\/rmohan.com\/?p=4199"},"modified":"2015-02-06T16:30:50","modified_gmt":"2015-02-06T08:30:50","slug":"how-to-block-brute-force-attacks-on-your-ssh-server","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=4199","title":{"rendered":"How to block brute force attacks on your SSH server"},"content":{"rendered":"

You have probably seen very simple iptables rules to do this. This is a little bit better.<\/p>\n

-A INPUT -i eth0.103 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name SSH –rsource
\n-A INPUT -i eth0.103 -p tcp -m tcp –dport 22 -m recent –rcheck –seconds 30 –hitcount 4 –rttl –name SSH –rsource -j REJECT –reject-with tcp-reset
\n-A INPUT -i eth0.103 -p tcp -m tcp –dport 22 -m recent –rcheck –seconds 30 –hitcount 3 –rttl –name SSH –rsource -j LOG –log-prefix “SSH brute force ”
\n-A INPUT -i eth0.103 -p tcp -m tcp –dport 22 -m recent –update –seconds 30 –hitcount 3 –rttl –name SSH –rsource -j REJECT –reject-with tcp-reset
\n-A INPUT -i eth0.103 -p tcp -m tcp –dport 22 -j ACCEPT<\/p>\n

That\u2019s it.
\nNow what is it? What does it do? How does it work?<\/p>\n

The first rule tells the system:
\nTCP packets are going to come in, that will attempt to establish an SSH connection. Mark them as SSH. Pay attention to the source of the packet.
\nThe second rule says:
\nIf a packet attempting to establish an SSH connection comes, and it\u2019s the fourth packet to come from the same source in thirty seconds, just reject it with prejudice and stop thinking about it.
\nThe third and fourth rules mean:
\nIf an SSH connection packet comes in, and it\u2019s the third attempt from the same guy in thirty seconds, log it to the system log once, then immediately reject it and forget about it.
\nThe fifth rule says:
\nAny SSH packet not stopped so far, just accept it.<\/p>\n

And that\u2019s all.You may want to adjust the number of seconds and hit count to your tastes.
\nRemember that the second rule has a hit count that is one higher than the ones following it \u2014 this is a precaution to stop the packet from continuing down the chain of rules, so brute forcing won\u2019t spam your logs.<\/p>\n","protected":false},"excerpt":{"rendered":"

You have probably seen very simple iptables rules to do this. This is a little bit better.<\/p>\n

-A INPUT -i eth0.103 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name SSH –rsource -A INPUT -i eth0.103 -p tcp -m tcp –dport 22 -m recent –rcheck –seconds 30 –hitcount 4 –rttl […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4199"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4199"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4199\/revisions"}],"predecessor-version":[{"id":4200,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4199\/revisions\/4200"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}