From: "Will Partain" will.partain@verilab.com
"jdow" jdow@earthlink.net writes:
I have found, however, that a simple three line iptables addition seems to work like a champ, except for filling up the log.
===8<--- iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: ' $iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset ===8<---
This is indeed a lovely approach, but has a drawback: it can't tell the difference between many legit SSH connections and many bogus ones.
For example, if you are getting at a Subversion repository with 'svn+ssh://host/repo-stuff', then whole bunches of ssh connections will be made in rapid succession. You can always up the hitcount, but that's just a method waiting to fail (e.g. what if SVN does something unexpected that needs _lots_ of ssh connections).
Of course you must assess your particular needs and determine if limiting connections this way is appropriate. I'm not sure at the moment whether the tracking and blocking is per IP or not. If it is per IP address then it's easy enough to drop the time out to something reasonable for a SVN transaction but longer than no time at all. It would at least slow people down until you can block their IP completely.
{^_^}