{"id":418,"date":"2011-01-28T00:30:38","date_gmt":"2011-11-08T05:51:50","guid":{"rendered":"http:\/\/kraftek.com\/blog\/making-ssh-brute-force-attacks-lifes-harder\/"},"modified":"2015-01-07T22:38:11","modified_gmt":"2015-01-07T22:38:11","slug":"making-ssh-brute-force-attacks-lifes-harder","status":"publish","type":"post","link":"\/blog\/index.php\/making-ssh-brute-force-attacks-lifes-harder\/","title":{"rendered":"making ssh brute force attacks life&#8217;s harder"},"content":{"rendered":"<p>if you have many of these in your log:<\/p>\n<pre>\r\nNov 8 13:55:47 www sshd[12571]: Failed password for invalid user webmaster from 189.180.184.89 port\r\n47706 ssh2\r\n<\/pre>\n<p>you can use iptables to stop them for a while, so their brute force will take years to succeed, if ever.<br \/>\nI added some rules so that only 5 connections can be made in a minute to ssh, if one more is attempted the<br \/>\nhost will be banned for 2 minutes, if more connections are retried, the ban is extended. since the bots can&#8217;t<br \/>\nhelp themselves they wont&#8217; stop, so they&#8217;ll be banned for a real while \ud83d\ude42<\/p>\n<pre>\r\niptables -N SSH_WHITELIST\r\niptables -A SSH_WHITELIST -s 175.161.21.55 -m recent --remove --name SSH -j ACCEPT\r\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH\r\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST\r\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl\r\n--name SSH -j ULOG --ulog-prefix SSH_brute_force\r\niptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 6 --rttl\r\n--name SSH -j DROP\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>if you have many of these in your log: Nov 8 13:55:47 www sshd[12571]: Failed password for invalid user webmaster from 189.180.184.89 port 47706 ssh2 you can use iptables to stop them for a while, so their brute force will take years to succeed, if ever. I added some rules so that only 5 connections [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-418","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts\/418","targetHints":{"allow":["GET"]}}],"collection":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=418"}],"version-history":[{"count":1,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts\/418\/revisions"}],"predecessor-version":[{"id":1113,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts\/418\/revisions\/1113"}],"wp:attachment":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=418"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=418"},{"taxonomy":"post_tag","embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=418"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}