[TriLUG] Fw: TALUG: Preventing SSH Dictionary Attacks With DenyHosts

David Brain dbrain at gmail.com
Mon Feb 20 10:36:07 EST 2006


> The comments to this Howto are as good as the article...  The upshot:
> There are lots of ways to do it.  Are you using at least one?
>
> http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
>


Another alternative the the 'recent' iptables matching - I use
hashlimit, that seems to work fairly well too. Something like:

#limits new connections to 10/minute (by IP)
iptables --new conlimit
iptables --append conlimit -m hashlimit --hashlimit 10/min \
--hashlimit-mode srcip --hashlimit-htable-gcinterval 36000000 \
--hashlimit-htable-expire 36000000 --hashlimit-name conhash \
-m state --state NEW -j ACCEPT
iptables --append conlimit -m state --state ESTABLISHED -j ACCEPT
iptables --append conlimit -j REJECT

#connection limit ssh externally
iptables --append INPUT --proto TCP --dport ssh -j conlimit



More information about the TriLUG mailing list