[go: up one dir, main page]
|
|
Log in / Subscribe / Register

SSH scanning

SSH scanning

Posted Feb 15, 2007 9:44 UTC (Thu) by ahoogerhuis (guest, #4041)
In reply to: SSH scanning by ldo
Parent article: Linux botnets

# Accept trusted hosts
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport ssh -j ACCEPT

# For outsiders, rate-limit and enjoy
iptables -A INPUT -m recent -m state -p tcp -m tcp --dport ssh --state NEW --hitcount 3 --seconds 180 --update -j DROP
iptables -A INPUT -m recent -m state -p tcp -m tcp --dport ssh --set --state NEW -j ACCEPT

i.e. don't meddle in SSH from places we trust, for outsiders that DO need access, give them three attempts, otherwise it's the doghouse for a few minutes. Simple, very effective.

-A

to post comments

SSH scanning

Posted Feb 15, 2007 10:51 UTC (Thu) by bkoz (guest, #4027) [Link]

Thanks for the iptables hackery. This is the #1 issue I see in my logs.

SSH scanning

Posted Feb 15, 2007 16:19 UTC (Thu) by nowster (subscriber, #67) [Link]

Order is important in these iptables commands. The commands in the parent appear to match on any traffic. Use instead: 

# Accept trusted hosts
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport ssh -j ACCEPT

# For outsiders, rate-limit and enjoy
iptables -A INPUT -p tcp -m tcp --dport ssh \
        -m state --state NEW \
        -m recent --hitcount 3 --seconds 180 --update -j DROP

iptables -A INPUT -p tcp -m tcp --dport ssh \
        -m state --state NEW \
        -m recent --set -j ACCEPT


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds