Detecting SSH Brute Force

It always annoys me when I see the log filling up with ssh attacks. It isn’t really a worry, these are password guessing and since passwords aren’t permitted they will never work.

I’ve been meaning for a long time to investigate the tools available in iptables with the “recent” module to detect them and block them. Today I finally did it.

There is a little script in /root called sshdrop, which contains the iptables rules. It is parameterized, but currently set for reacting to more than 2 syn in 20 seconds, and sends rejects with tcp-reset.

I also downloaded a little python script to inspect the /proc/net/xt-recent/DEFAULT and decode it a bit, which lets me see how many attackers, and how recently. The script is invoked with ipt_recents -txt.

Seems to be working well.