If you must leave ssh open to the outside world, use a simple
iptables
ruleset to limit attempts:
# This rejects ssh attempts more than twice in 180 seconds...
# First, mark attempts as part of the "sshattack" group...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
# Optional: Include this line if you want to log these attacks...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
--seconds 180 --hitcount 2 -j LOG --log-prefix "SSH REJECT: "
# Finally, reject the connection if more than one attempt is made in 180
seconds...
-A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --rcheck
--seconds 180 --hitcount 2 -j REJECT --reject-with tcp-reset
If more than one ssh attempt is made in 180 seconds (three minutes)
from a given IP address, this blocks that IP address for that duration.
You get one try. If you fail, you must wait 3 minutes before you can
try again.
Note that even a successful login is counted. If you log in and
immediately log out, you still have to wait 3 minutes to get in again.
Change the "--hitcount 2" bits to "--hitcount 3" if you want to give
yourself two tries to get in. You can also change the "--seconds 180"
to "--seconds 300" to make the delay 5 minutes. The values I give above
are enough to discourage most script kiddie attempts to get into your
box.
Hi
Sorry to hijack this tread. The above should it be before, or after
you allow the ssh port ?
Thanks
G