From: "Christian Motta" chris@agweb.net
I wrote this script to thwart the brute force ssh hackers. It isn't the most efficient but it works. it blocks their ip using iptables. I run it every min via cron
#!/usr/bin/perl
Thanks for the nice script Chris. I may add that to deepen my defenses.
I have found, however, that a simple three line iptables addition seems to work like a champ, except for filling up the log.
===8<--- iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: ' $iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset ===8<---
I've been taking to looking at where large numbers of rejected connections come from and have been adding them to the firewall manually. Your script can probably be adapted.
(It is amusing how long idiots will keep trying. I had a twit from India trying nearly 10,000 times today before I finally blocked him. He got two chances in that entire set to actually try to guess a password. He made two runs. And right at the start of the two runs he tried and got the predictable password failure. After that for an hour or more at a stretch he simply pounded that reject rule never getting into the system at all. Poor baby. It did prompt me to simply add blanket blocks for much of the APNIC space that's allocated to Asian countries I never expect to visit. It makes life easier.)
{^_-}