Rate limit incoming ssh connections

So apparently, there's a ssh worm in the wild that tries to break into servers by bombarding the ssh daemon with logins. No idea what they think they can achieve with this, since it mostly just takes down the ssh service (for everyone, including themselves). So it's more annoying and inconvenient (you can't login) than threatening, in my opinion.

Luckily, there are easy ways to deal with this. We use the following ferm recipe to limit the incoming new ssh connections on source ip basis. Hope this helps someone.

You do the following in the filter table from the input chain. We assume you already allow established connections to pass.

proto tcp dport ssh {
  # Rate-limit incoming SSH connections
  mod state state NEW mod recent name "ssh" {
    set NOP;
    update seconds 300 hitcount 31 REJECT reject-with tcp-reset;

# allow SSH clients which play nice ACCEPT; }

This will keep track of the number of connections made on the ssh port in the last 300 seconds, per source ip address. If more than 30 connections are made within 300 seconds, they will be rejected. Otherwise, they're allowed.

This works great for us, but you want to test it before using it in a production environment, of course!

Update: So ipt_recent only allows up to 20 counts. You might want to change the numbers in this recipe a bit to make it work correctly ;-)

Update 2: Or even better:

$ cat /etc/modprobe.d/ipt_recent

options ipt_recent ip_pkt_list_tot=31

$ sudo /etc/init.d/ferm stop

$ sudo rmmod ipt_recent

$ sudo /etc/init.d/ferm start

You can check /sys/module/ipt_recent/parameters/ip_pkt_list_tot to see if it changed.

Btw, this all is not my own research, merely transcribing what Bart and Kees researched.


Comments powered by Disqus