How to Setup SSH Brute Force Protection With IPtables

Protecting your server from an onslaught of SSH packets is easy with iptables. There are a few options for configuring the protection, depending on whether you want to block repeated brute forcing or only allow whitelisted IPs to connect. We’ll show you all the options in this guide.

Limit the Rate of Incoming SSH Attempts

The following iptables rules will block IP addresses that attempt more than 5 SSH connections in 60 seconds.

iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 -j DROP

The first line instructs iptables to track new connections coming in on port 22 (SSH). The next line is what tells iptables to drop packets from an offending IP that has sent 6 or more requests in a 60 second window.

If you want to be more lenient or strict with the rules, just change the values in the second line.

If you want to insert these rules at the top of your INPUT chain, so they get triggered before the rest of your rules, use -I instead of -A in your commands:

iptables -I INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
iptables -I INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 -j DROP

To put the rules even further up, you could add them to the PREROUTING chain via the mangle filter. This is the recommended approach, as the rules will be triggered as soon as possible and use fewer system resources since brute force attacks won’t make it as far into the chains:

iptables -t mangle -A PREROUTING -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
iptables -t mangle -A PREROUTING -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 -j DROP

Log SSH Brute Force Attacks

Add logging to these SSH rules in order to see what IP addresses are brute forcing SSH on the server.

iptables -t mangle -N SSHBRUTEFORCE
iptables -t mangle -A SSHBRUTEFORCE -m limit --limit 60/min -j LOG --log-prefix "Dropped SSH Packets: " --log-level 4
iptables -t mangle -A SSHBRUTEFORCE -j DROP

iptables -t mangle -A PREROUTING -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
iptables -t mangle -A PREROUTING -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 -j SSHBRUTEFORCE

Whitelist IP Addresses

The above rules will certainly protect your server from SSH brute forcing, but white listing IP addresses and blocking everything else is even more efficient. This isn’t feasible in situations where you or other users are SSHing into the server from dynamic IP addresses. However, if you and the other users on the system always use the same IP addresses to login from, these rules will suit you even better.

Here’s an example where 10.1.1.1 and 192.168.1.1 are whitelisted and SSH packets from any other IP address are dropped:

iptables I INPUT -p tcp -s 10.1.1.1,192.168.1.1 --dport ssh -j ACCEPT
iptables -I INPUT -p tcp --dport ssh -j DROP

Add as many IP addresses or subnets that you’d like to whitelist.

View IPtables Rules

To see the rules you’ve configured and how much traffic has been triggering them, you can use the iptables -L command. For a more thorough and clear output, we recommend adding the following options:

To see rules in the INPUT chain:

iptables -L -v -n --line-numbers

To see rules in the PREROUTING chain’s mangle filter:

iptables -L -v -n --line-numbers -t mangle

Leave a Reply

Your email address will not be published. Required fields are marked *