[plug] firewalling ssh

Bernd Felsche bernie at innovative.iinet.net.au
Mon Jan 8 18:27:22 WST 2007

Tim Bowden <tim.bowden at westnet.com.au> writes:

>I'm trying to protect a debian box from ssh attacks.  I need to be
>able to ssh in from anywhere so I need to keep port 22 open. What I
>would like to do though is drop connection requests from any
>address that attempts to connect more than three or four times in
>less than a minute.  Any ideas on how to do it?  What I'd like to

You've never mis-typed a password? Twice?

>do is an iptables rule that does rate limiting syn packets per each
>source address but I don't believe that's possible (at least out of
>the box).

You should also look at "port knocking".

This means that you don't run the sshd (at the usual port) but with
a deft sequence of hitting a pre-defined sequence of ports within a
short period of time, you then set the sshd to listen to the IP
address from which you're knocking... for a minute.

Connection by pre-shared key is also possible which frustrates
dictionary attacks for trying to get access. Change the key
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | "If we let things terrify us,
 X   against HTML mail     |  life will not be worth living."
/ \  and postings          | Lucius Annaeus Seneca, c. 4BC - 65AD.

More information about the plug mailing list