Your Linux Data Center Experts

I've been locking down SSH on some of our machines lately. In addition to turning off Password authentication and PAM, I've also set up an iptables connection rate limit. Here's what I've done to do that.

Unfortunately, Debian doesn't have the “hashlimit” module which I've spoken about here before. It does have the “limit” module though. The lines below are in the “iptables-restore” format. To run them manually you might just want to change the “-A” to “iptables -I” and run them in reverse order.

-A INPUT -m tcp -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m tcp -p tcp -s --dport 22 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 22 -j DROP

This assumes that you are running SSH on port 22. The second line allows the hosts on the network block to connect an unlimited number of times. Do this for hosts that you would normally connect from. Then, in an emergency, you can get in from another machine, as long as someone else isn't hitting the machine more than 3 times per second.

comments powered by Disqus

Join our other satisfied clients. Contact us today.