How do I stop bruteforce SSH login attempt?

[Soo-Hyun Choi]

Hi John,

Thanks for your detailed instructions. It helped me a lot. :-)

Soo-Hyun


On 4/12/06, John L Fjellstad <john-ubuntu at fjellstad.org> wrote:
> "Soo-Hyun Choi" <s.choi at hackers.org.uk> writes:
>
> > I know how to block it in a FreeBSD system with "denyhost" or
> > "bruteforceblocker" from the ports, but I have little knowledge in my
> > Ubuntu 5.10 box.
> >
> > Would there be anyone who could tell me something about it?
>
> I use iptables with the recent module.
>
> Basically, something like this will block anyone who tries to connect
> more than once every minute:
>
> /sbin/iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state INVALID,NEW \
> -m recent --update --seconds 60 -j DROP
> /sbin/iptables -A INPUT -p tcp -m state --m state INVALID,NEW -m recent
> --set -j ACCEPT
>
> first rule says, any packages that are related or part of an
> established connection, let it through
> second rule says, if a package to port 22 (ssh) is new or received and
> was received within the last 60 seconds from the same ip address, then
> drop and update the connection table
> third rule says, add all new connections to the table and accept it.
>
> What will happen is, the first connection will go through, but any
> subsequent connection will be dropped if someone tries to do multiple
> connections within a certain time period (60 seconds in this example).
>
> You can put this in a script, and in your /etc/network/interfaces file,
> put the script in your interface stanza, like this:
>
> auto eth0
> iface eth0 inet dhcp
>      pre-up /path/to/the/script.sh  <-- put your script here
>
> --
> John L. Fjellstad
> web: http://www.fjellstad.org/          Quis custodiet ipsos custodes
>
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>