[CentOS] Ideas for stopping ssh brute force attacks

Mon Jul 21 21:01:40 UTC 2008
Michael Gabriel <irzyxel at gmail.com>

easiest way with centos board tools is iptable recent module ...

simply limit the amount of connections a host is allowed to the ssh port

iptables -N SSHSCAN
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent --set --name SSH
iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 3 --name SSH
-j DROP

limits each host to 3 connections within 5 minutes. enough to make bots stop
and still not too annoying for users that mistype their password 3x3 times

On Mon, Jul 21, 2008 at 10:43 PM, Bo Lynch <blynch at ameliaschools.com> wrote:

> just wanted to get some feedback from the community. Over the last few
> days I have noticed my web server and email box have attempted to ssh'd to
> using weird names like admin,appuser,nobody,etc.... None of these are
> valid users. I know that I can block sshd all together with iptables but
> that will not work for us. I did a little research on google and found
> programs like sshguard and sshdfilter. Just wanted to know if anyone had
> any experience with anything like these programs or have any other advice.
> I really appreciate it.
>
> --
> Bo Lynch
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20080721/f214fb43/attachment-0005.html>