You have probably seen very simple iptables rules to do this. This is a little bit better.

-A INPUT -i eth0.103 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -i eth0.103 -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 4 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset
-A INPUT -i eth0.103 -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "SSH brute force "
-A INPUT -i eth0.103 -p tcp -m tcp --dport 22 -m recent --update --seconds 30 --hitcount 3 --rttl --name SSH --rsource -j REJECT --reject-with tcp-reset
-A INPUT -i eth0.103 -p tcp -m tcp --dport 22 -j ACCEPT

That’s it.
Now what is it?  What does it do?  How does it work?

The first rule tells the system:
TCP packets are going to come in, that will attempt to establish an SSH connection.  Mark them as SSH.  Pay attention to the source of the packet.
The second rule says:
If a packet attempting to establish an SSH connection comes, and it’s the fourth packet to come from the same source in thirty seconds, just reject it with prejudice and stop thinking about it.
The third and fourth rules mean:
If an SSH connection packet comes in, and it’s the third attempt from the same guy in thirty seconds, log it to the system log once, then immediately reject it and forget about it.
The fifth rule says:
Any SSH packet not stopped so far, just accept it.

And that’s all.You may want to adjust the number of seconds and hit count to your tastes.
Remember that the second rule has a hit count that is one higher than the ones following it — this is a precaution to stop the packet from continuing down the chain of rules, so brute forcing won’t spam your logs.

Leave a Reply

Your email address will not be published. Required fields are marked *

To submit solve the problem below * Time limit is exhausted. Please reload the CAPTCHA.