I am trying to get iptables to block multiple ssh attempts, and having only partial success (Ubuntu 10.4 LTS). I've been following recommendations from the excellent post by Rainer Wichmann and decided the best strategy suited for my system is simply having iptables block multiple attempts at ssh. Thus I did the following commands:
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
# Now, as far as I understand it, iptables should block any and all ssh attempts in the 120 seconds after the "SSH_brute_force" event
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP
I save the settings by
# to save iptables
sudo iptables-save > /etc/iptables.rules
# to apply rules
# make sure rules load before network connection by editing startup sequence:
sudo nano /etc/network/interfaces # open file for editing
# add this line to load iptables rules before network starts
pre-up iptables-restore < /etc/iptables.rules
Thus so far everything seems in order. I test settings by failing several ssh attempts on purpose, and indeed, I become blocked. But there are two problems: 1) iptables still allows ssh attempts from other ip addresses. 2) The time it takes to become unblocked seems random. This is a minor issue, though I would be happy to know why this happens.
I would like to have iptables to block any and all ssh attempts for 2 minutes if more than 4 ssh attempts/minute are made. I'm opened to suggestions for other programs too, but I would prefer to keep it as simple as possible, with the intent to block bruteforce attempts.
You might want to check out fail2ban or ConfigServer Security & Firewall (CSF). They both have the ability to react to brute-force attacks not just on SSH but on pretty much all services you run on your server.
Yeah I tried fail2ban, only problem is I don't want the IP to be blocked forever. Just for 5 minutes. Consider that a normal user may, from time to time, fail 3 consecutive ssh logins (for example, if caps-lock remains on, by mistake). With fail2ban I will have to manually release the IP address, as well as erase it from deny.hosts. Is there a way to get fail2ban to ban IP address only for 5-10 minutes or so? instead of "forever"?