Blocking Brute Force SSH Attacks

Last Updated on 07/18/2013 by dboth

SSH provides a secure remote login capability that encrypts not only the connection setup and password sequence but also the entire session. This means that all of the data passed between the two computers is encrypted and thus very secure.

There are forms of attack that target SSH but the vast majority of these are simply brute-force attacks in which script kiddies run scripts that repetitively try to login to common user IDs with common dictionary passwords and variations.

Thwarting these attacks is fairly easy and can be enhanced by enforcing strong passwords with relatively frequent password expiration. A good password policy is one part of defending against this type of attack.

Firewall Defense

These brute force attacks are dependent upon attempting a large number of connections in a short period of time using different ID and password combinations. So a second defense is to use some intrinsic capabilities of the Linux netfilter firewall capabilities. We can use iptables to configure a throttle that only allows a specific number connection attempts for SSH in a specified time frame. This will severely restrict the number of ID/password combinations that brute force attackers can attempt.

The following two iptables commands  can be added to the INPUT filter to create the throttle.

iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -m state \
    --state NEW -m recent --set --name SSH
iptables -I INPUT 2 -i eth0 -p tcp --dport 22 -m state \
    --state NEW -m recent --update --seconds 600 --hitcount 6 \
    --rttl --name SSH -j DROP


The first command basically says that we are tracking all new and recent SSH connections. The second line specifies that we will only allow six new connections within 600 seconds, or ten minutes. The seventh connection within that time period will preclude all additional SSH connections until there have been fewer than 10 connections in the past 10 minutes. Using a script to attempt the connections will cause this block  to occur sometime within the first few seconds. The bad guys’ scripts will have timed out early in the attack and they will give up and move on to a more vulnerable computer.


Note that this strategy counts both successful and failed attempts. It may lock you out of the remote computer for the set period of time, so you will want to adjust the number of hits and the time frame very carefully to reduce this potential drawback.

Be sure to save the revised firewall ruleset using the command, service iptables save.

Leave a Reply