[WBEL-users] kill ssh dictionary attacks

[Vic]

> It has always annoyed the cr at p out of me each morning as I go through the
> logs on my linux servers to see attempted ssh connections using every
> username under the sun as some person tries to guess my passwords

I've just taken action against exactly this - and rather successfully, if
I do say so myself :-)

I've used an iptables script to rate-limit ssh connections. I've created a
new chain called "ssh" , which is run for any new port 22 connections :-

-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 --state NEW -j ssh

This chain firstly whitelists the IPs I know about & want unrestricted :-

-A ssh -s 213.232.80.166 -j ACCEPT
(etc.)

Then I rate-limit anyone else :-

-A ssh -p tcp -m tcp -m limit -m state --limit 2/minute --limit-burst 2
--state NEW -j ACCEPT
-A ssh -j DROP

(That's 2 lines - it might wrap somewhere in the email chain)

The upshot of this is that anyone not specifically whitelisted is allowed
to connect twice per minute to the ssh port; any more than this, and the
packets get dropped.

I built this on a server that was getting approx 3000 ssh attacks a day.
It now gets up to ten :-)

HTH

Vic.