Block attempts to brute-force access to a machine with publicly-accessible ssh.
Anyone running sshd on a computer directly connected to the internet will see numerous brute-force attempts to break in. This is pretty annoying, as it fills up the log files. It is even more annoying when your console output gets clobbered by repeated notices of attempted failures.
There are many strategies for defeating these brute-force attacks. Some strategies go for obscurity - run your ssh daemon on a non-standard port. Others go for clever port-knocking or timing schemes. This script is a set of iptables firewall rules that blacklist a source if the source tries to connect too often in a specific time period.
Punt SSH Kiddies
This script configures an iptables firewall to reject attempts to connect on port 22 (the default port for ssh connections) if the connecting computer makes more than 5 attempts in 10 seconds. Subsequent attempts to connect will be dropped. It makes a log entry when a client is added to the drop list.
To use this script, run it once during system startup, for example in /etc/rc.local. When kiddies attack you will see messages like this in the system logs:
Here are other implementations and approaches:
Copyright © 2009 Matthew Wall, all rights reserved