Posted by Travis Collins at August 29, 2009 5:11 PM
Most Linux distributions have no SSH brute force counter measures 'out of the box'. You can use this simple command line set to configure an IPTables rule that blocks SSH attempts from any IP after 3 failed ssh logins.
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
why do you think this counts "failed" login attempts? it measures new connections and will lock out someone who hits the threshold, failed or not.
Comment by mag at October 15, 2009 7:39 PM
Actually, the rule only blocks connections in the NEW state. I have this running on dozens of shared hosting systems supporting hundreds of users with few side effects. Only some aggressive automation tools have tripped the filter.
Comment by jeffatrackaid at January 27, 2010 7:10 PM
