|
iptables for ssh brute force attacks
Had a new client ask me to take a look at his machines today, found a nice number of brute force ssh attempts. Hopefully it'll help someone out:
#!/bin/sh
PATH=/sbin
iptables -N sshthrottle
iptables -A sshthrottle -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A sshthrottle -p TCP --syn -m limit --limit 3/minute --limit-burst 3 -j ACCEPT
iptables -A sshthrottle -p TCP -j LOG --log-level "NOTICE" --log-prefix '[DROP:RATE_LIMIT] '
iptables -A sshthrottle -p TCP -j REJECT
iptables -I INPUT -p TCP -s 0/0 --dport 22 -j sshthrottle
This sets up a rule that is triggered by more then 3 hits to ssh port by same source IP in one minute, then activates the sshthrottle rule which rejects the packets after that and logs them with the '[DROP:RATE_LIMIT]' tag
Dig it out of your syslog/messages later with this:
cat $file | sed -e 's/SRC=//g' | sort | uniq -c | sort -n
grep RATE_LIMIT firewall | awk '{print $10}' | sed -e 's/SRC=//g' | sort | uniq -c | sort -n
|