Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 12 of 12
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    The Keystone State

    Quote Originally Posted by bsisco View Post
    The best way that I have found for doing this is this:
    sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
    sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

    The downside to this is that every time you reboot or restart iptables you have to do this again. The easiest thing to do is put it in a bash script. There is a great article @ TechBlog - How to: Block brute force attacks with iptables
    Not really just use 'iptables save' to save the configuration of iptables.


    The adventure of a life time.

    Linux User #296285
    Get Counted

  2. #12
    Quote Originally Posted by areeda View Post
    I searched but couldn't find anything like this.

    We get regular "dictionary attacks" on our ssh ports. People or programs trying various username/password combination trying to log in. Sometimes close to a 1000. The next day reviewing the logs we block the addresses or range around the addresses if it looks like a dynamic ip using IPTables.

    Is there anyway to enforce a rule that says any particular source ip can only have so many login failures before it is shut down?



    If ju really don't want change numer ports sshd (because this type attack use boot's who search open 22 ports and trying solve nick and password, use Linux-PAM and change the Authorization in file sshd . (you must search what mod drop ip numer who use bad login)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts