Being the LinuxCzar with tools like iptables and LVS, I view network traffic as almost infinitely malleable. So, one of the ways I currently deal with SSH scans on my personal machines is to install a rate limit.
These examples are copied out of my
First, any new connection to my SSH port has its own special rule chain:
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
I define the SSHSCAN chain like the below. This is using the “recent” iptables module that’s present in RHEL 5 and later. First, we set the source IP address into a list named SSH:
-A SSHSCAN -m recent --set --name SSH --rsource
Now we have a history of IP addresses that have connected to our SSH port. If there are more than 10 hits in the last 300 seconds we log that we are being SSH scanned:
-A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH \ -j LOG --log-level info --log-prefix "SSH SCAN blocked: "
Again, if we have more than 10 hits of the source IP address in 300 seconds we drop the packet on the floor:
-A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH \ --rsource -j DROP
If we don’t match any of the rules above we have a SSH syn packet that has not reached the block threshold and we accept it:
-A SSHSCAN -j ACCEPT
Now, as I look at the above I notice that the
DROP rule should
probably be using
--rcheck instead of
--update which may mean that
I’m logging two history hits per each SSH connection…but…anyway….