====== Prevent SSH Brute Force Attacks using Iptables ======

If you see a lot of these messages in /var/log/secure you might consider blocking SSH based on time and source IP.\\

sshd[30138]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.188.7.185  user=root\\
sshd[30138]: Failed password for root from 119.188.7.185 port 9482 ssh2\\
Received disconnect from 119.188.7.185: 11: Bye Bye\\
Invalid user oracle from 119.188.7.185\\
input_userauth_request: invalid user oracle\\
pam_unix(sshd:auth): check pass; user unknown\\
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=119.188.7.185\\
Failed password for invalid user oracle from 119.188.7.185 port 9647 ssh2\\
Received disconnect from 119.188.7.185: 11: Bye Bye\\

This functionality can be achieved by using iptables recent module.

Add following to your /etc/sysconfig/iptables:

  A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --set --name SSH
  A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "FW_DROPPED:"
  A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 3 --rttl --name SSH -j DROP
  A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Short description of the rules:

  - or each new connection attempt to port 22, add the remote source address to the "SSH" tracking table\\
  - If this is the third such new connection within 600 seconds, update the remote source address entry in the tracking table and log rejection action\\
  - If this is the third such new connection within 600 seconds, update the remote source address entry in the tracking table and DROP the connection\\
  - Otherwise, accept the new connection.