Iptables and SSH

Note: This method did something very weird to my server, resulting in an inability to login or even ping the machine, even after waiting for the timer to "clear" after a failed login attempt. As a result, this technique is no longer used on Duckpond. Experiment with this information at your own risk. See Swatch and SSH for the current brute-force SSH attack prevention scheme I'm using.

We want to block brute-force SSH login attacks, and came up with a scheme to do so. This method may be more appealing to some than a Swatch-based rig because a) it's simpler and b) it doesn't rely on external programs behaving themselves.

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

After four new hits on the SSH port within a minute, the connection is dropped. Obviously after that minute a new connection can be new again, but by that point you can hope that your "friend" the brute-force attacker will have moved his ass on.

Oh, and this is a good idea after implementing:

/etc/init.d/iptables save active

That way a reboot will bring back your lovely protection scheme.