For some security reason, we must set max login attempts for our server’s SSH server. But we can use a combination of ssh configuration and firewall settings. With the following solution an attacker is allowed to produce exactly 3 fault logins in 2 minutes, until he will be blocked for 120 seconds.
1) Add the following line to
2) Add the following firewall rules
Create a new chain
iptables -N SSHATTACK iptables -A SSHATTACK -j LOG --log-prefix "Possible SSH attack! " --log-level 7 iptables -A SSHATTACK -j DROP
Block each IP address for 120 seconds which establishe more than three connections within 120 seconds. In case of the forth connection attempt, the request gets delegated to the
SSHATTACK chain, which is responsible for logging the possible ssh attack and finally drops the request.
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --set iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK
3) See log entries of possible shh- attacks in
Dec 27 18:01:58 ubuntu kernel: [ 510.007570] Possible SSH attack! IN=eth0 OUT= MAC=01:2c:18:47:43:2d:10:c0:31:4d:11:ac:f8:01 SRC=192.168.203.129 DST=192.168.203.128 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30948 DF PROTO=TCP SPT=53272 DPT=1785 WINDOW=14600 RES=0x00 SYN URGP=0