Can we limit login failures from an IP address

[Lazydog]

The best way that I have found for doing this is this:

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

The downside to this is that every time you reboot or restart iptables you have to do this again. The easiest thing to do is put it in a bash script. There is a great article @ TechBlog - How to: Block brute force attacks with iptables

Not really just use 'iptables save' to save the configuration of iptables.

[deivo]

I searched but couldn't find anything like this.

We get regular "dictionary attacks" on our ssh ports. People or programs trying various username/password combination trying to log in. Sometimes close to a 1000. The next day reviewing the logs we block the addresses or range around the addresses if it looks like a dynamic ip using IPTables.

Is there anyway to enforce a rule that says any particular source ip can only have so many login failures before it is shut down?

Thanks,

Joe

If ju really don't want change numer ports sshd (because this type attack use boot's who search open 22 ports and trying solve nick and password, use Linux-PAM and change the Authorization in file sshd . (you must search what mod drop ip numer who use bad login)