https://www.chepkov.com/w/index.php?action=history&feed=atom&title=IPTablesIPTables - Revision history2026-04-28T17:14:55ZRevision history for this page on the wikiMediaWiki 1.43.6https://www.chepkov.com/w/index.php?title=IPTables&diff=457&oldid=prevVvc at 19:25, 16 July 20102010-07-16T19:25:11Z<p></p>
<p><b>New page</b></p><div>===Block ssh brutal force attack ===<br />
* /etc/modprobe.conf<br />
options ipt_recent ip_list_tot=200 ip_pkt_list_tot=15 ip_list_hash_size=0<br />
<br />
* /etc/sysconfig/iptables<br />
<pre><br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:IN - [0:0]<br />
:blacklist - [0:0]<br />
:ssh - [0:0]<br />
-A INPUT -j IN<br />
-A FORWARD -j IN<br />
-A IN -i lo -j ACCEPT<br />
-A IN -p icmp --icmp-type any -j ACCEPT<br />
-A IN -m state --state INVALID -j DROP<br />
-A IN -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
# SSH handler<br />
-A IN -m state --state NEW -m tcp -p tcp --syn --dport ssh -j ssh<br />
-A blacklist -m recent --name blacklist --set -j DROP<br />
-A ssh -m recent --update --name blacklist --seconds 600 --hitcount 1 -j DROP<br />
-A ssh -m recent --set --name sshcount <br />
-A ssh -m recent --rcheck --name sshcount --seconds 60 --hitcount 10 -j blacklist<br />
-A ssh -j ACCEPT<br />
# Other services<br />
-A IN -m state --state NEW -m tcp -p tcp --syn --dport http -j ACCEPT<br />
-A IN -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
</pre><br />
<br />
: Make sure ''ip_pkt_list_tot'' is big enough to fit ''hitcount''<br />
<br />
This firewall configuration "blacklist"s any IP, which tries to establish an ssh connection more then 10 times in any given 60 seconds interval.<br><br />
The IP will be blacklisted for 600 seconds, as long as no new packets arrived from this IP during this grace period, otherwise, the timer will be reset to 0 with each new packet.<br />
<br />
<br />
Observe your good work:<br />
watch cat /proc/net/ipt_recent/blacklist</div>Vvc