Hi there
I realy thought i can solve this on my own, but after a long day of trying i ran out of ideas.
Basically i have a centos7 server and authenticate with RSA key and ssh.
To prevent someone to "bruteforce the RSA key" or just DoS the server i want to drop every ip that trys to authenticate more than 2 times in 10 minutes
I found lots of help on this topic but it just doesnt seem to work for me.
I cant use fail2ban because im running on vps and fail2ban needs access to the hardware which is of virtual nature and it errors
So i want to do it with iptables, but the rules just dont do theyr job. the logins are not even logged in /var/log/messages
here are my rules, maybe someone can find an error. thanks to everybody
:
Code:
# Completed on Wed Oct 18 19:35:27 2017
# Generated by iptables-save v1.4.21 on Wed Oct 18 19:35:27 2017
*filter
:INPUT DROP [662:65949]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1023:99687]
:LOGDROP - [0:0]
:SSHATTACK - [0:0]
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 --name DEFAULT --rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 --name DEFAULT --rsource -j LOG
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT