[plug] firewalling ssh

Patrick Coleman blinken at gmail.com
Mon Jan 8 18:58:05 WST 2007


On 1/8/07, Tim Bowden <tim.bowden at westnet.com.au> wrote:
> Hi all,
>
> I'm trying to protect a debian box from ssh attacks.  I need to be able
> to ssh in from anywhere so I need to keep port 22 open. What I would
> like to do though is drop connection requests from any address that
> attempts to connect more than three or four times in less than a minute.
> Any ideas on how to do it?  What I'd like to do is an iptables rule that
> does rate limiting syn packets per each source address but I don't
> believe that's possible (at least out of the box).

This was discussed a while back I think - I use ipb-monitor
(http://jason.mindsocket.com.au/pages/linux/ipb-monitor/) which was
written by someone on this list (Jason). Basically it scans logfiles
and blacklists IPs using iptables if they exceed some number (10 works
well) of connection attempts in a minute. It's also possible to share
the blacklist among servers. This is very effective for me in killing
SSH scans.

--Patrick

-- 
http://www.labyrinthdata.net.au



More information about the plug mailing list