My logs were getting filled with scripts trying to log in via ssh. I already have “PasswordAuthentication no” so I believe I am safe. I wanted to add a new layer (and keep my logs cleaner). I added the following to my iptables config. Anyone with more than 4 connections in 60 seconds is banned:
:SSHAUTOBAN - [0:0] . . . -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j SSHAUTOBAN . . . -A SSHAUTOBAN -m recent --set --name SSH -A SSHAUTOBAN -m recent --rcheck --hitcount 4 --name SSH -j LOG -A SSHAUTOBAN -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP -A SSHAUTOBAN -m recent --rcheck --name SSH -j ACCEPT COMMIT
Comments are closed.