How do I stop bruteforce SSH login attempt?

John L Fjellstad john-ubuntu at
Wed Apr 12 16:50:48 UTC 2006

"Soo-Hyun Choi" <s.choi at> writes:

> I know how to block it in a FreeBSD system with "denyhost" or
> "bruteforceblocker" from the ports, but I have little knowledge in my
> Ubuntu 5.10 box.
> Would there be anyone who could tell me something about it?

I use iptables with the recent module.

Basically, something like this will block anyone who tries to connect
more than once every minute:

/sbin/iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state INVALID,NEW \
-m recent --update --seconds 60 -j DROP
/sbin/iptables -A INPUT -p tcp -m state --m state INVALID,NEW -m recent
--set -j ACCEPT

first rule says, any packages that are related or part of an
established connection, let it through
second rule says, if a package to port 22 (ssh) is new or received and
was received within the last 60 seconds from the same ip address, then
drop and update the connection table
third rule says, add all new connections to the table and accept it.

What will happen is, the first connection will go through, but any
subsequent connection will be dropped if someone tries to do multiple
connections within a certain time period (60 seconds in this example).

You can put this in a script, and in your /etc/network/interfaces file,
put the script in your interface stanza, like this:

auto eth0
iface eth0 inet dhcp
      pre-up /path/to/the/  <-- put your script here

John L. Fjellstad
web:          Quis custodiet ipsos custodes

More information about the ubuntu-users mailing list