iptables rules for rate-limiting SSH connections

This is what I use on my CentOS boxes/VMs, it rate-limits the connections and also rate-limits the log messages (to prevent attacks that attempt to fill up the server’s disk).

iptables -F
iptables -X
iptables -N LOGDROP #Create the LOGDROP chain
iptables -A LOGDROP -m limit --limit 1/s -j LOG --log-prefix "LOGDROP: " # Rate-limit the logging so the logs don't fill up the server
iptables -A LOGDROP -j DROP
iptables -I INPUT -p tcp --dport 22 -s 10.0.0.0/16 -j ACCEPT # Allow everything from the internal network
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set # create the "bucket"
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP # if there are more than 4 connection attempts in 60 seconds from a given address, log-drop it.

After issuing these commands I run /etc/init.d/iptables save, that persists the rules to … somewhere. Alternatively I sometimes put all the above commands in some bash script and just call it from /etc/rc.local.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s