[CentOS] Ideas for stopping ssh brute force attacks

nate centos at linuxpowered.net
Mon Jul 21 22:48:31 UTC 2008

D Steward wrote:

> Because I don't believe a solution such as fail2ban will scale (it can't
> be healthy having tens of thousands of IPs in iptables), I use denyhosts

Wherever possible I use layer 2 bridging OpenBSD firewalls in front of
my networks, I don't have a problem with brute force attacks but it
seems it can scale to tens of thousands of IPs without a problem. I'm
not sure if iptables has similar capabilities or not --


"[..]Lookups against a table are very fast and consume less memory and
processor time than lists. For this reason, a table is ideal for holding
a large group of addresses as the lookup time on a table holding 50,000
addresses is only slightly more than for one holding 50 addresses"

And the pf equivilent to the iptables throttling:


An example:

    table <abusive_hosts> persist
    block in quick from <abusive_hosts>

    pass in on $ext_if proto tcp to $web_server \
        port www flags S/SA keep state \
        (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts>

This does the following:

    * Limits the maximum number of connections per source to 100
    * Rate limits the number of connections to 15 in a 5 second span
    * Puts the IP address of any host that breaks these limits into the
<abusive_hosts> table
    * For any offending IP addresses, flush any states created by this rule.

I don't like/use OpenBSD for anything other than firewalls. But I
do think as a firewall, pf really can't be beat, the configuration
for typical rules just 'flows'. IPTables by comparison is so cryptic.
(speaking as a past user of ipfwadm, ipfw, ipchains, iptables, pf,
and Cisco PIX, which is probably the worst of the ones I've used).

I use linux pretty much everywhere else other than firewalls. Even
my preferred network gear - load balancers and switches run linux
(commercial variants).


More information about the CentOS mailing list