Brute-Force SSH Attacks
One of the servers I manage has been getting slammed hard by ssh brute-force dictionary attacks. There are typically a few thousand such attempts each day. One particularly bad day saw 122,000 attempts. I got tired of seeing this in my security logs, so today I did something about them. I used iptables to limit which ip addresses are allowed to connect via ssh. Here’s a simple script I wrote to add the rules:
#!/bin/bash
/sbin/iptables –N SSHD
# here's the list of allowed ip addresses
ALLOWED="192.168.0.0/24 12.12.0.0/16 1.2.3.4"
for i in $ALLOWED; do
/sbin/iptables –A SSHD –s $i –j ACCEPT
done
# reject everyone else
/sbin/iptables –A SSHD –j REJECT
# send all ssh traffic to the SSHD chain
/sbin/iptables –A INPUT –p tcp ––destination–port 22 –j SSHD
# end of script
To use this script, edit the line ALLOWED= to reflect the ip addresses that you wish to have access to the system via ssh. All other ip addresses will be REJECTed by iptables.
October 7th, 2005 at 3:04 am
You would like to use ipset[1] to organize the ip addresses that are allowed to connect.
There’s a tarpit module for netfilter/iptables that lets you have a little more fun with these attacks. Ask goggle for “+iptables +ssh +tarpit”
[1] http://ipset.netfilter.org/
polarizers 2cent
http://www.codixx.de/polarizer.html
October 7th, 2005 at 7:25 am
Unfortunately, at this time I can’t do anything that requires a new kernel. The ecommerce server is remote so installing a new kernel requires coordination with the hosting company in case something goes wrong. I’m using the tarpit patch with my home server, though.