Protecting ssh with iptables (required kernel 2.6.18)
On systems where sshdfilter of sshguard don't work, there is a simple iptables fix. Essentially, it marks all NEW connections and if there are more than certain number of NEW connection attempts, subsequent ones will be blocked. To do this, add these to INPUT chain:iptables -I INPUT 1 -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT 2 -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 6 -j DROP
iptables -I INPUT 2 -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 6 -j DROP
Then instead of testing manually, you can run this script to see the result:
#!/bin/bash
for i in `seq 1 5` ; do
echo 'exit' | nc 127.0.0.1 22 ;
done
for i in `seq 1 5` ; do
echo 'exit' | nc 127.0.0.1 22 ;
done
You should get this during the first few loops, and no reply afterwards. Check iptables and you should see packets being dropped.
sshtest.sh
[root@c50 ~]# ./sshtest.sh
SSH-2.0-OpenSSH_4.3
Protocol mismatch.
SSH-2.0-OpenSSH_4.3
Protocol mismatch.
SSH-2.0-OpenSSH_4.3
Protocol mismatch.
SSH-2.0-OpenSSH_4.3
Protocol mismatch.
Note: ipt_recent prior to kernel 2.6.18 is not reliable. For kernel 2.4, try this:
iptables -I INPUT 1 -m state --state NEW -p tcp --dport 22 -m limit --limit 10/minute --limit-burst 2 -j ACCEPT iptables -I INPUT 2 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -I INPUT 3 -p tcp --dport 22 -j DROP
There are no comments on this page. [Add comment]