Visit Jeremy's Blog.
Go Back > Blogs > Musings on technology, philosophy, and life in the corporate world
User Name


Hi. I'm a Unix Administrator, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: Unix.
Rate this Entry

Auto-block ssh brute force attacks using built-in tools (OpenBSD and Linux)

Posted 08-30-2012 at 01:28 AM by rocket357

I've run a cool trick for a while on my OpenBSD firewall at home, where traffic from any given ip address and port 22 on the firewall is rate limited. If an ip exceeds the given rate, it is put into a ban list (table, actually) that the firewall is configured to drop all traffic from. It works well, and the same functionality can be setup in Linux, too.

To set it up on OpenBSD (this is lifted verbatim from the OpenBSD website pf manual, hence port www instead of port ssh):

table <abusive_hosts> persist
block in quick from <abusive_hosts>

pass in on $ext_if proto tcp to $web_server \
port www flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

Basically, setup a table to contain ip's of the bad guys, block incoming traffic from anyone put in the table (neat feature when you couple it with pfctl -t abusive_hosts -T add <friendly_ip>, should you ever want to mess with the person(s) coming from <friendly_ip> heh), and for all new connections that aren't coming from blocked ips, check the rate at which new connections are being made (15 connections per 5 seconds), and if it's more, add it to the bad ip table and kill their connections off.

Personally, I use this for ssh, not www. Probably because I don't run a webserver at home =) Edit the above to suit your needs.

For linux, the xt_recent module performs a similar task, albeit in a typical "linux-ish" way:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

service iptables save

Instead of pfctl, you have to echo values into /proc/net/xt_recent/* files. If you wanted to, for instance, remove an ip from the ban list, you would echo -<ip_to_remove> > /proc/net/xt_recent/SSH (in this case). To add an ip, simply switch from - to +.

Well, there you go. Short, sweet, and simple. I don't have anything against projects like fail2ban and such, but if you're running a secure firewall (as I am), you probably don't want extra daemons running (regardless if they're listening on ports or not).
Posted in Uncategorized
Views 1194 Comments 0
« Prev     Main     Next »
Total Comments 0




All times are GMT -5. The time now is 11:24 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration