Use IPTables to ban repeated ssh attempts

My logs were getting filled with scripts trying to log in via ssh. I already have “PasswordAuthentication no” so I believe I am safe. I wanted to add a new layer (and keep my logs cleaner). I added the following to my iptables config. Anyone with more than 4 connections in 60 seconds is banned:

:SSHAUTOBAN - [0:0]
. . . 
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j SSHAUTOBAN
. . . 
-A SSHAUTOBAN -m recent --set --name SSH
-A SSHAUTOBAN -m recent --rcheck --hitcount 4 --name SSH -j LOG
-A SSHAUTOBAN -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
-A SSHAUTOBAN -m recent --rcheck --name SSH -j ACCEPT
COMMIT

Comments are closed.