[plug] firewalling ssh

Shannon Carver shannon.carver at gmail.com
Mon Jan 8 15:41:52 WST 2007

How about:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --update --seconds 60 --hitcount 4 -j DROP

This block anything after the 3rd hit from an IP within 60 seconds.

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On Behalf
Of Tim Bowden
Sent: Monday, 8 January 2007 3:32 PM
To: plug
Subject: [plug] firewalling ssh

Hi all,

I'm trying to protect a debian box from ssh attacks.  I need to be able
to ssh in from anywhere so I need to keep port 22 open. What I would
like to do though is drop connection requests from any address that
attempts to connect more than three or four times in less than a minute.
Any ideas on how to do it?  What I'd like to do is an iptables rule that
does rate limiting syn packets per each source address but I don't
believe that's possible (at least out of the box).

Tim Bowden

PLUG discussion list: plug at plug.org.au
Committee e-mail: committee at plug.linux.org.au

More information about the plug mailing list