Slashdot runs the post on how bots are now trying higher ports for SSH password guessing. This is not a problem for those who do key-based authentication, but for those who have to have password authentication enabled, there is plenty of good advice in the comments to the post. One of the comments provides this handy iptables-based dynamic black list:
iptables --new-chain SSHTHROTTLE iptables --append SSHTHROTTLE --match recent --name bad_actors --update --seconds 86400 --jump DROP iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip --hashlimit-burst 2 --jump ACCEPT iptables --append SSHTHROTTLE --match recent --name bad_actors --set --jump DROP iptables --append INPUT --in-interface ext+ --proto tcp --match conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE
I haven’t tried it out myself yet, but I’m saving it here for the next time I have a server with password-based authentication SSH.
3 thoughts on “SSH dynamic black list”
Interesting. If you do ever use password-based authentication, you should at least restrict it to the IPs you’re gonna be connecting from as an extra precaution.
I looked at the above solution years ago and the iptables rules I just pulled from my evernote look like this:
/sbin/iptables -I INPUT -p tcp -i eth0 –dport 22 -m state –state NEW -m recent –name sshprobe –set -j ACCEPT
/sbin/iptables -I INPUT -p tcp -i eth0 –dport 22 -m state –state NEW -m recent –name sshprobe –update –seconds 60 –hitcount 3 –rttl -j DROP
for password-based authentication, I only needed it when I had to give “other people” access to my server. People who I couldn’t really control well either. So limiting by IP wasn’t working too well for that scenario either. When it’s just me, or my friends and peers, we more often than not fall back on key-based authentication.
SSH dynamic black list iptables | Blog of Leonid Mamchenkov http://t.co/PaLCMtFN0S #Linux