Punt SSH Script-Kiddies (Throttle SSH)

Block attempts to brute-force access to a machine with publicly-accessible ssh.

Anyone running sshd on a computer directly connected to the internet will see numerous brute-force attempts to break in. This is pretty annoying, as it fills up the log files. It is even more annoying when your console output gets clobbered by repeated notices of attempted failures.

There are many strategies for defeating these brute-force attacks. Some strategies go for obscurity - run your ssh daemon on a non-standard port. Others go for clever port-knocking or timing schemes. This script is a set of iptables firewall rules that blacklist a source if the source tries to connect too often in a specific time period.

Punt SSH Kiddies
0.1 25nov09

This script configures an iptables firewall to reject attempts to connect on port 22 (the default port for ssh connections) if the connecting computer makes more than 5 attempts in 10 seconds. Subsequent attempts to connect will be dropped. It makes a log entry when a client is added to the drop list.

To use this script, run it once during system startup, for example in /etc/rc.local. When kiddies attack you will see messages like this in the system logs:

Nov 14 02:08:34 yarg kernel: [56818277.913195] SSH_THROTTLE: IN=eth0 OUT= MAC=00:0d:93:5c:8b:b8:00:01:24:cb:21:e1:08:00 SRC= DST= LEN=60 TOS=0x00 PREC=0x20 TTL=50 ID=2841 DF PROTO=TCP SPT=46031 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Here are other implementations and approaches: