###################################################### # Rate limit brute force SSH attacks, rules by Andrew Pollock # # # # http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks # #-----------------------------------------------------------------------#
# First whitelist a few hosts iptables -N SSH_WHITELIST iptables -A SSH_WHITELIST -s trusted.host -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s also.reliable -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s alianet.alia.org.au -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s flat.alia.org.au -m recent --remove --name SSH -j ACCEPT
# Then implement the "recent" based filter iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
With all this you mise well just use tcpwrappers. vi /etc/hosts.deny (Ip's to deny by default. All in this case) sshd: ALL vi /etc/hosts.allow (Ip's to allow to SSH) sshd: <ips to allow> Example: sshd: 192.168.1. 10.10.0.100 Brad Dameron SeaTab Software www.seatab.com