Block IP after failed login attempt using iptables?

FireRaven · 08-11-2009, 02:14 AM

Hi,
I keep getting hundreds of SSH failed logins per day.

Is there a way with iptables, i can say if a user connects too to port 22 over 8 times in 10 minuntes, then block them for an hour?

I know this is possible I've seen it done, but I can't find anywhere how to do it...

abefroman · 08-11-2009, 02:19 AM

Quote:

Originally Posted by FireRaven

Hi,
I keep getting hundreds of SSH failed logins per day.

Is there a way with iptables, i can say if a user connects too to port 22 over 8 times in 10 minuntes, then block them for an hour?

I know this is possible I've seen it done, but I can't find anywhere how to do it...

Install apf and bfd:
http://rfxnetworks.com/

lsm is good too.

tredegar · 08-11-2009, 04:50 AM

Please read the sticky in this forum.

[Edit]
Where this has already been discussed in detail.
Any "improvements" to the suggested solutions belong there.
[/Edit]

repo · 08-11-2009, 04:52 AM

chane the ssh port from 22 to 2222

hemanshurpatel · 08-11-2009, 05:53 AM

Install snort with IPS facilities

it will take care of all those IPs and block them if they try with wrong password for configurable no of times.

curtisa · 08-11-2009, 11:55 AM

Try fail2ban as well. Works perfectly for this.

eth1 · 08-11-2009, 12:33 PM

You can also check CSF +BFD which is quite commonly used in the servers we manage.

Quote:

http://www.configserver.com/cp/csf.html

Lot of customizations can be made w.r.t Ingress and Outgress filtering, plus you can manually block/unblock an IP address using csf -d, csf -a etc.