Vitavonni

Tue, 22 Nov 2005

How to filter ssh scanners

Here's an easy recipe to filter those annoying SSH scanners at your firewall:

iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
        -m recent --set --name SSH
#$iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
#       -m recent --update --seconds 60 --hitcount 5 --rttl \
#       --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
        -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP

This configuration will allow up to 5 SSH connections in a 60 second timeframe. This will usually make SSH-scanners go away after their 5th retry, and seriously slow them down otherwise.

If you have users who "rightfully" need to do more SSH connections, make them use some VPN, a "safe" source-IP-range, whatever.

To protect your firewall host, use INPUT instead of FORWARD.

Note that you can also implement port-knocking with the recent match.

[category: /en/linux | Permalink]
Menu
[planet.debian]
[planet.xmlhack]
[planet SELinux]
[munichblogs]
[email]
[RSS 2 feed]
[English RSS 2]
Categories
< November 2005 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
27282930   
Archives
2010-Jul
2010-Jun
2010-May
2010-Apr
2010-Mar
2010-Feb
2010-Jan
2009-Dec
2009-Nov
2009-Oct
2009-Sep
2009-Aug
2009-Jul
2009-Jun
2009-May
2009-Apr
2009-Mar
2009-Feb
2009-Jan
2008-Dec
2008-Nov
2008-Oct
2008-Sep
2008-Aug
2008-Jul
2008-May
2008-Apr
2008-Mar
2008-Feb
2008-Jan
2007-Dec
2007-Nov
2007-Oct
2007-Sep
2007-Aug
2007-Jul
2007-Jun
2007-May
2007-Apr
2007-Mar
2007-Feb
2007-Jan
2006-Dec
2006-Nov
2006-Oct
2006-Sep
2006-Aug
2006-Jul
2006-Jun
2006-May
2006-Apr
2006-Mar
2006-Feb
2006-Jan
2005-Dec
2005-Nov
2005-Oct
2005-Sep
2005-Aug
2005-Jul
2005-Jun
2005-May
2005-Apr
2005-Mar
2005-Feb
2005-Jan
2004-Dec
2004-Nov
2004-Oct
2004-Sep
2004-Aug
2004-Jul
Other links:
Swing and the City - Lindy Hop in Munich