I am trying to get iptables to block multiple ssh attempts, and having only partial success (Ubuntu 10.4 LTS). I've been following recommendations from the excellent post by Rainer Wichmann and decided the best strategy suited for my system is simply having iptables block multiple attempts at ssh.
Thus I did the following commands:
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
# Now, as far as I understand it, iptables should block any and all ssh attempts in the 120 seconds after the "SSH_brute_force" event
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 120 --hitcount 4 --rttl --name SSH -j DROP
I save the settings by
# to save iptables
sudo iptables-save > /etc/iptables.rules
# to apply rules
sudo iptables-apply
# make sure rules load before network connection by editing startup sequence:
sudo nano /etc/network/interfaces # open file for editing
# add this line to load iptables rules before network starts
pre-up iptables-restore < /etc/iptables.rules
Thus so far everything seems in order. I test settings by failing several ssh attempts on purpose, and indeed, I become blocked. But there are two problems:
1) iptables still allows ssh attempts from other ip addresses.
2) The time it takes to become unblocked seems random. This is a minor issue, though I would be happy to know why this happens.
I would like to have iptables to block any and all ssh attempts for 2 minutes if more than 4 ssh attempts/minute are made. I'm opened to suggestions for other programs too, but I would prefer to keep it as simple as possible, with the intent to block bruteforce attempts.
Suggestions?
Thanks!
-R