[mythtv-users] Semi-OT: Blocking Brute Force SSH attacks
Larry Sanderson
larry.sanderson at gmail.com
Sun Oct 21 00:05:31 UTC 2007
> You can do everything in iptables - forget denyhosts or external
> scripts:
>
> /sbin/iptables -N SSH
> /sbin/iptables -F SSH
> /sbin/iptables -A SSH -m recent --name SSH --set --rsource
> /sbin/iptables -A SSH -i ! ${IFext} -j RETURN
> /sbin/iptables -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3
> --name SSH --rsource -j RETURN /sbin/iptables -A SSH -j DUMP
>
> (IFext is my external interface).
>
> then just jump to the rule chain, and accept the packet if it makes
> it through:
>
> /sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -m state
> --state NEW -j SSH
> /sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -j ACCEPT
As I read this, you are limiting connections to 3 per minute, yes? I
have looked for a way to use iptables to find offending connections
(say, more than six in a minute) and then blacklist them for 5 minutes.
Also, I would like a way to increase the blacklist time for repeat
offenders.
This approach appeals to me since I use openwrt as my primary router,
and it would be nice to block the traffic there before it even gets
into my network.
-Larry
More information about the mythtv-users
mailing list