[plug] firewalling ssh

Tim Bowden tim.bowden at westnet.com.au
Mon Jan 8 23:12:09 WST 2007

On Mon, 2007-01-08 at 18:58 +0900, Patrick Coleman wrote:
> On 1/8/07, Tim Bowden <tim.bowden at westnet.com.au> wrote:
> > Hi all,
> >
> > I'm trying to protect a debian box from ssh attacks.  I need to be able
> > to ssh in from anywhere so I need to keep port 22 open. What I would
> > like to do though is drop connection requests from any address that
> > attempts to connect more than three or four times in less than a minute.
> > Any ideas on how to do it?  What I'd like to do is an iptables rule that
> > does rate limiting syn packets per each source address but I don't
> > believe that's possible (at least out of the box).
> This was discussed a while back I think - I use ipb-monitor
> (http://jason.mindsocket.com.au/pages/linux/ipb-monitor/) which was
> written by someone on this list (Jason). Basically it scans logfiles
> and blacklists IPs using iptables if they exceed some number (10 works
> well) of connection attempts in a minute. It's also possible to share
> the blacklist among servers. This is very effective for me in killing
> SSH scans.
> --Patrick

This looks spot on.  Thanks Patrick, and well done Jason.

Tim Bowden

More information about the plug mailing list