It always annoys me when I see the log filling up with ssh attacks. It isn’t really a worry, these are password guessing and since passwords aren’t permitted they will never work. <\/p>\n\n\n\n
I’ve been meaning for a long time to investigate the tools available in iptables with the “recent” module to detect them and block them. Today I finally did it. <\/p>\n\n\n\n
There is a little script in \/root called sshdrop, which contains the iptables rules. It is parameterized, but currently set for reacting to more than 2 syn in 20 seconds, and sends rejects with tcp-reset. <\/p>\n\n\n\n
I also downloaded a little python script to inspect the \/proc\/net\/xt-recent\/DEFAULT and decode it a bit, which lets me see how many attackers, and how recently. The script is invoked with ipt_recents -txt. <\/p>\n\n\n\n
Seems to be working well. <\/p>\n","protected":false},"excerpt":{"rendered":"
It always annoys me when I see the log filling up with ssh attacks. It isn’t really a worry, these are password guessing and since passwords aren’t permitted they will never work. I’ve been meaning for a long time to investigate the tools available in iptables with the “recent” module to detect them and block … Continue reading Detecting SSH Brute Force<\/span>