Set max login attempts for SSH

Network Norckon 926℃ 0评论

ssh-picture

INTRODUCE

For some security reason, we must set max login attempts for our server’s SSH server. But we can use a combination of ssh configuration and firewall settings. With the following solution an attacker is allowed to produce exactly 3 fault logins in 2 minutes, until he will be blocked for 120 seconds.

STEPS

1) Add the following line to /etc/ssh/sshd_config

MaxAuthTries 1

2) Add the following firewall rules

Create a new chain

iptables -N SSHATTACK
iptables -A SSHATTACK -j LOG --log-prefix "Possible SSH attack! " --log-level 7
iptables -A SSHATTACK -j DROP

Block each IP address for 120 seconds which establishe more than three connections within 120 seconds. In case of the forth connection attempt, the request gets delegated to the SSHATTACK chain, which is responsible for logging the possible ssh attack and finally drops the request.

iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --set
iptables -A INPUT -i eth0 -p tcp -m state --dport 22 --state NEW -m recent --update --seconds 120 --hitcount 4 -j SSHATTACK

3) See log entries of possible shh- attacks in /var/log/syslog

Dec 27 18:01:58 ubuntu kernel: [  510.007570] Possible SSH attack! IN=eth0 OUT= MAC=01:2c:18:47:43:2d:10:c0:31:4d:11:ac:f8:01 SRC=192.168.203.129 DST=192.168.203.128 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30948 DF PROTO=TCP SPT=53272 DPT=1785 WINDOW=14600 RES=0x00 SYN URGP=0

ORIGINAL LINK

喜欢 (0)
COMMENT
Cancel Comment
EMOJI

Hi, We need some information

  • Nickname (*)
  • E-Mail (*)
  • Website