[mythtv-users] Semi-OT: Blocking Brute Force SSH attacks

Brian Wood beww at beww.org
Sun Oct 21 04:24:01 UTC 2007

Larry Sanderson wrote:
>> You can do everything in iptables - forget denyhosts or external
>> scripts:
>> /sbin/iptables -N SSH
>> /sbin/iptables -F SSH
>> /sbin/iptables -A SSH -m recent --name SSH --set --rsource
>> /sbin/iptables -A SSH -i ! ${IFext} -j RETURN
>> /sbin/iptables -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3
>> --name SSH --rsource -j RETURN /sbin/iptables -A SSH -j DUMP
>> (IFext is my external interface).
>> then just jump to the rule chain, and accept the packet if it makes
>> it through:
>> /sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -m state
>> --state NEW -j SSH
>> /sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -j ACCEPT
> As I read this, you are limiting connections to 3 per minute, yes?  I 
> have looked for a way to use iptables to find offending connections 
> (say, more than six in a minute) and then blacklist them for 5 minutes.  
> Also, I would like a way to increase the blacklist time for repeat 
> offenders.
> This approach appeals to me since I use openwrt as my primary router, 
> and it would be nice to block the traffic there before it even gets 
> into my network.

See my comment on the ProSafe units. How many of us really need to have
ssh access from any IP in the world at any time of day? Restricting the
IPs that can get through really cuts down on the possible problems.


More information about the mythtv-users mailing list