restrict ssh access

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
We have one ssh server which receives about 6000 failed attempts to login
using various usernames everyday from malicious hosts (averaging about 1000
attempts from each distinct client IP address).
Does anyone know if there is a way to restict the number or rate of
unsuccessful login attempts per client IP address? For example, configure
ssh server to accept only one ssh connection request per minute from the
same client IP address. Thanks very much.


Re: restrict ssh access

On Mon, 26 Dec 2005 14:34:42 -0800, Xinming He wrote:

Quoted text here. Click to load it

    This is something I picked up at some newsgroup not long ago.

#! /bin/sh
# This is a deterrent against SSH breakin attempts. Without this, /var/log/
# messages tends to get flooded by traces from such attempts. The last two
# lines of this script prevent such attempts to take place more frequently
# than every 15 seconds. Effectively, a failed SSH login attempt from a given
# IP address results in any further SSH login attempts from that address to
# be summarily dismissed for 15 seconds. The first line in the script just
# that this mechanism is not to be used for our internal network.

iptables -A INPUT -p tcp -i eth0 -s --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent
--update --seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set

Site Timeline