HomePage » Security » SecurityAttacks » SecuritySshdFilter


Prevent ssh brute force attacks with sshdfilter

Download sshdfilter from its web site
Version 1.5.3 is easy. Just download the source file, run the install script, and create the SSHD iptables chain. Restart syslog and start sshdfilder service. Find log in /var/log/secure

Add necessary iptables entries
iptables -N SSHD
iptables -I INPUT 1 -p tcp --dport 22 -j SSHD
#You'd probably want to allow ssh access from a certain server no matter what
iptables -I INPUT 1 -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT


To check the installation, just look at /var/log/messages, /var/log/secure, and iptables. My iptables after runnng sshdfilter for 1 day:
# iptables
Chain SSHD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   18  1396 DROP       tcp  --  *      *       61.133.95.228        0.0.0.0/0           tcp dpt:22 
  22  1732 DROP       tcp  --  *      *       222.255.236.12       0.0.0.0/0           tcp dpt:22 
   22  1732 DROP       tcp  --  *      *       85.25.20.222         0.0.0.0/0           tcp dpt:22 
	0     0 DROP       tcp  --  *      *       60.250.231.36        0.0.0.0/0           tcp dpt:22
# secure log
sshdfilt[9575]: Cancelled instant block of 165.98.233.4
sshdfilt[9575]: Cancelled instant block of 210.6.69.117
sshdfilt[9575]: Cancelled instant block of 64.150.163.110
sshdfilt[9575]: Cancelled guesswork based block of 218.98.194.140
sshdfilt[9575]: Illegal user name, instant block of 218.1.65.233
sshdfilt[9575]: No ssh id string from client, instant block of 67.82.36.169
sshdfilt[9575]: Illegal user name, instant block of 205.237.97.173
sshdfilt[9575]: Cancelled instant block of 219.239.98.111
sshdfilt[9575]: Cancelled instant block of 218.91.236.93

There are no comments on this page. [Add comment]

Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by WikkaWiki