SW Designs

Technology and Photography

Block Brute Force Attacks With Iptables

The iptables recent module can be used to,

track seen IP addresses and be able to match against them using some criteria.

This enables admins to identify and block traffic brute force attacks. In the following config will only allow 4 connections to port 22 within a 60 second time frame from a given IP address. Subsequent connections will be logged and dropped. The disadvantage of this approach is that iptables can not distinguish between successful and unsuccessful connections. This means that you potentially lock yourself out of your server! To help overcome this problem a whitelist of admin IP addresses is added.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Create new chain
iptables -N SSH_CHAIN

# Accept all SSH connections from admin addresses
iptables -A INPUT -p tcp --dport 22 -s $WHITELIST -j ACCEPT

# Route inbound new connections via our SSH chain
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHAIN

# Create a dynamic list of IP addresses named SSH to match against
iptables -A SSH_CHAIN -m recent --set --name SSH

# Log any violations
iptables -A SSH_CHAIN -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-level info --log-prefix "SSH CHAIN blocked: "

# Drop the packet
iptables -A SSH_CHAIN -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

Comments