[GRLUG] Limiting SSH brute force attacks with IPTABLES (recent module)...

Collin adderd at kkmfg.com
Mon Feb 20 13:06:08 EST 2006 

john-thomas richards wrote:
> On Mon, Feb 20, 2006 at 12:15:15PM -0500, Godwin wrote:
>   
>> Nothing new, just a different way of handling it.  I, for one, have
>> used the "limit" module before, but the new "recent" way of blocking
>> bad IP's seems better.  Check it (as posted on digg.com):
>>
>> http://www.debian-administration.org/articles/187
>> http://www.linux-noob.com/forums/index.php?showtopic=1829
>>
>> In essence, limit it to 3 atttempts per minute:
>>
>> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
>>   --set
>> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
>>   --update --seconds 60 --hitcount 4 -j DROP
>> iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
>>     
>
> Several times per day I receive brute force attacks on port 22.  Digg had the
> DenyHosts script which detects such attacks and adds the IP address to
> /etc/hosts.deny.  Would it be better to ban the IP altogether rather than limit
> the frequency with which the attacks can occur?  The idea of denying the IP
> appeals to me but I am not a security expert in any sense.
>
>   

Personally I'd like to say that the denying approach  is best but I 
don't think it is... The problem is that it bloats the deny file for 
really no benefit. Have you ever seen any intelligent brute forces on 
SSH? All of the ones I get are stupid attempts from worms and such. No, 
I don't allow root logons and I dont have users named Dick, Jane, Admin, 
Ralf, Guest, etc, etc. They are basically harmless brute force attempts. 
The machines and/or IP's of origin probably don't even know that their 
machine is doing it. Blocking them isn't really going to solve anything. 
The best defense is to disable unused accounts and not use idiotic 
passwords.

The slowing of connection attempts is probably better as it doesn't 
bloat the deny file and it still serves it's purpose. If a REAL brute 
force comes in they'll likely give up rather than have to wait 20 
seconds between tries.

More information about the grlug mailing list