I am trying to get iptables to block multiple ssh attempts, and having only partial success (Ubuntu 10.4 LTS). I've been following recommendations from the excellent post by Rainer Wichmann and decided the best strategy suited for my system is simply having iptables block multiple attempts at ssh.
Thus I did the following commands:

sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
# Now, as far as I understand it, iptables should block any and all ssh attempts in the 120 seconds after the "SSH_brute_force" event
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP

I save the settings by

# to save iptables
sudo iptables-save > /etc/iptables.rules
# to apply rules
sudo iptables-apply
# make sure rules load before network connection by editing startup sequence: 
sudo nano /etc/network/interfaces # open file for editing
# add this line to load iptables rules before network starts
pre-up iptables-restore < /etc/iptables.rules

Thus so far everything seems in order. I test settings by failing several ssh attempts on purpose, and indeed, I become blocked. But there are two problems:
1) iptables still allows ssh attempts from other ip addresses.
2) The time it takes to become unblocked seems random. This is a minor issue, though I would be happy to know why this happens.

I would like to have iptables to block any and all ssh attempts for 2 minutes if more than 4 ssh attempts/minute are made. I'm opened to suggestions for other programs too, but I would prefer to keep it as simple as possible, with the intent to block bruteforce attempts.


Recommended Answers

All 5 Replies

You might want to check out fail2ban or ConfigServer Security & Firewall (CSF). They both have the ability to react to brute-force attacks not just on SSH but on pretty much all services you run on your server.

Fail2Ban gets my vote also. We use it on every server installation.

It will watch for auth failures. AFter a certain number of failures you can block the source IP for a set time or forever.

For me, I usually do 5 missed auths gets you a 20 minute ban. And I have it email me so I can watch for recurring attempts.

Yeah I tried fail2ban, only problem is I don't want the IP to be blocked forever. Just for 5 minutes.
Consider that a normal user may, from time to time, fail 3 consecutive ssh logins (for example, if caps-lock remains on, by mistake).
With fail2ban I will have to manually release the IP address, as well as erase it from deny.hosts.
Is there a way to get fail2ban to ban IP address only for 5-10 minutes or so? instead of "forever"?



Edit /etc/fail2ban/jail.conf

Add in the line:

bantime = 600 
maxretry = 3

So after 3 attempts, the IP is banned for 5 min.

You can allso add in IPs to ignore so they never get banned:

ignoreip =

Thanks a bunch! :D

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.