How do I stop bruteforce SSH login attempt?
John L Fjellstad
john-ubuntu at fjellstad.org
Wed Apr 12 16:50:48 UTC 2006
"Soo-Hyun Choi" <s.choi at hackers.org.uk> writes:
> I know how to block it in a FreeBSD system with "denyhost" or
> "bruteforceblocker" from the ports, but I have little knowledge in my
> Ubuntu 5.10 box.
> Would there be anyone who could tell me something about it?
I use iptables with the recent module.
Basically, something like this will block anyone who tries to connect
more than once every minute:
/sbin/iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state INVALID,NEW \
-m recent --update --seconds 60 -j DROP
/sbin/iptables -A INPUT -p tcp -m state --m state INVALID,NEW -m recent
--set -j ACCEPT
first rule says, any packages that are related or part of an
established connection, let it through
second rule says, if a package to port 22 (ssh) is new or received and
was received within the last 60 seconds from the same ip address, then
drop and update the connection table
third rule says, add all new connections to the table and accept it.
What will happen is, the first connection will go through, but any
subsequent connection will be dropped if someone tries to do multiple
connections within a certain time period (60 seconds in this example).
You can put this in a script, and in your /etc/network/interfaces file,
put the script in your interface stanza, like this:
iface eth0 inet dhcp
pre-up /path/to/the/script.sh <-- put your script here
John L. Fjellstad
web: http://www.fjellstad.org/ Quis custodiet ipsos custodes
More information about the ubuntu-users