How to prevent SSH and FTP bruteforce attacks
with iptables on Linux
Earlier I've blogged about
how to prevent brute force attacks with fail2ban, denohosts and
blockhosts , however there is easier way to secure against
basic brute force attacks by not installing or configuring any
external programs.
The way I'm talking about uses simple
iptables rules to filter
out brute force attacks.
Here is a small
script to stop ssh and FTP invaders which try to
initiate more than 3 consequential connections in 5 minutes time to
port 22 or port 23:
SERVER_MAIN_IP='AAA.BBB.CCC.DDD'; /sbin/iptables -N
SSH_WHITELIST
/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
sshbr --set
/sbin/iptables -A INPUT -p tcp --dport 22 --syn -j
SSH_WHITELIST
/sbin/iptables -A INPUT -p tcp --dport 22 --syn -m recent --name
sshbr \
--update --rttl --hitcount 3 --seconds 300 -j REJECT --reject-with
tcp-reset
/sbin/iptables -A SSH_WHITELIST -s $SERVER_MAIN_IP -p tcp --dport
22 --syn -m recent --rttl --remove
The only thin If the rules are matched iptables filter rules will
be added to the iptables CHAIN SSH_WHITELIST
In case if you want to add some more truested IPs add some more
iptables rules, like:
ALLOW_IP='BBB.CCC.DDD.EEE';
/sbin/iptables -A SSH_WHITELIST -s $ALLOW_IP -p tcp --dport 22
--syn -m recent --rttl --remove
Each filtered IP that matches the rules will be filtered for 5
minutes, if 5 minutes is enough, the 300 value has to be
increased.