Hundreds of failed ssh logins

You can use iptables to rate-limit new incoming connections to the SSH port. I’d have to see your entire iptables configuration in order to give you a turnkey solution, but you’re basically talking about adding rules like:

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH --rsource -j DROP 
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH --rsource -j ACCEPT

These rules assume that you’re accepting ESTABLISHED connections earlier in the table (so that only new connections will hit these rules). New SSH connections will hit these rules and be marked. In 60 seconds, 5 attempts from a single IP address will result in new incoming connections from that IP being dropped.

This has worked well for me.

Edit: I prefer this method to “fail2ban” because no additional software to be installed, and happens totally in kernel-mode. It doesn’t handle parsing log files like “fail2ban” will, but if your problem is only with SSH I wouldn’t use something user-mode that requires software installation and is more complex.

Related Posts:

  1. mysql_config not found when installing mysqldb python interface
  2. ssh: Could not resolve hostname [hostname]: nodename nor servname provided, or not known
  3. Pseudo-terminal will not be allocated because stdin is not a terminal
  4. X11 forwarding request failed on channel 0
  5. mysql_config not found when installing mysqldb python interface
  6. Pseudo-terminal will not be allocated because stdin is not a terminal
  7. How to download a file from server using SSH?
  8. connect to host localhost port 22: Connection refused
  9. Getting stty: standard input: Inappropriate ioctl for device when using scp through an ssh tunnel
  10. EC2 ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic)
  11. How to configure WP filesystem access in Linux (Ubuntu Server)?
  12. Can I automatically add a new host to known_hosts?
  13. Can I nohup/screen an already-started process?
  14. When does `cron.daily` run?
  15. Permission denied (publickey). SSH from local Ubuntu to Amazon EC2 server
  16. Is it normal to get hundreds of break-in attempts per day?
  17. How to reconnect to a disconnected ssh session
  18. how to disable SSH login with password for some users?
  19. What version of RHEL am I using?
  20. Keeping a linux process running after I logout
  21. How to handle security updates within Docker containers?
  22. How to check if an RSA public / private key pair match
  23. how do you create an ssh key for another user?
  24. “POSSIBLE BREAK-IN ATTEMPT!” in /var/log/secure — what does this mean?
  25. Does getting disconnected from an SSH session kill your programs?
  26. Can you have more than one ~/.ssh/config file?
  27. SSH from A through B to C, using private key on B [closed]
  28. Show all users and their groups/vice versa
  29. SSHFS mount that survives disconnect
  30. Temporarily ignore my `~/.ssh/known_hosts` file?
  31. How can I fully log all bash scripts actions?
  32. What’s wrong with always being root?
  33. protocol version mismatch — is your shell clean?
  34. How should an IT department choose a standard Linux distribution?
  35. How do I grep recursively?
  36. Why do you need to put #!/bin/bash at the beginning of a script file?
  37. -bash: syntax error near unexpected token `newline’ for display command
  38. How do I use grep to search the current directory for all files having the a string “hello” yet display only .h and .cc files?
  39. SSH using python script
  40. Changing the resolution of a VNC session in linux
  41. Using putty to scp from windows to Linux
  42. How does “cat << EOF" work in bash?
  43. What is difference between arm64 and armhf?
  44. Opening a .tar.gz file with a single command
  45. Implementing shell in C and need help handling input/output redirection
  46. How to count lines in a document?
  47. What does `set -x` do?
  48. How to get the process ID to kill a nohup process?
  49. Writing a simple shell in C using fork/execvp
  50. Implementation of multiple pipes in C
  51. chmod: changing permissions of ‘my_script.sh’: Operation not permitted
  52. Using ls to list directories and their total sizes
  53. tar: add all files and directories in current directory INCLUDING .svn and so on
  54. What does set -e mean in a bash script?
  55. make -j 8 g++: internal compiler error: Killed (program cc1plus)
  56. Pipe to/from the clipboard in a Bash script
  57. what does -zxvf mean in tar -zxvf filename? 
  58. Retrieve last 100 lines logs
  59. Linux Bash: Move multiple different files into same directory
  60. Configuring Apache for localhost
  61. how to search for a directory from the terminal in ubuntu
  62. Android – Command not found
  63. What does ‘bash -c’ do?
  64. How do I know the script file name in a Bash script?
  65. WordPress can’t find temporary folder, but folder it’s looking at has correct permissions
  66. Anyone else experiencing high rates of Linux server crashes during a leap second day?
  67. df in linux not showing correct free space after file removal
  68. In my /etc/hosts/ file on Linux/OSX, how do I do a wildcard subdomain?
  69. Setting the hostname: FQDN or short name?
  70. Shell command to monitor changes in a file
  71. When does /tmp get cleared?
  72. Difference in sites-available vs sites-enabled vs conf.d directories (Nginx)?
  73. How do I sleep for a millisecond in bash or ksh
  74. Disk full, du tells different. How to further investigate?
  75. What does ‘set -e’ do, and why might it be considered dangerous?
  76. Filename length limits on linux?
  77. What useful things can one add to one’s .bashrc? [closed]
  78. How to add a timestamp to bash script log?
  79. best way to clear all iptables rules
  80. How to remove empty/blank lines from a file in Unix (including spaces)?
  81. How can I kill all stopped jobs?
  82. How to copy file preserving directory path in Linux?
  83. Postfix – how to retry delivery of mail in queue?
  84. How can I rename a Unix user?
  85. How to re-order windows, change the scroll shortcut, and modify the status bar contents in GNU Screen?
  86. Is it possible to alias a hostname in Linux?
  87. How do I list loaded Linux module parameter values?
  88. Tips for Securing a LAMP Server
  89. What Linux distribution is the Amazon Linux AMI based on?
  90. How to prevent a user from login in, but allow “su – user” in Linux?
  91. What is this IP address: 169.254.169.254?
  92. Should I install Linux applications in /var or /opt?
  93. I have a keypair. How do I determine the key length?
  94. Why drop caches in Linux?
  95. Heartbleed: how to reliably and portably check the OpenSSL version?
  96. swap partition vs file for performance?
  97. Best way to disable swap in Linux
  98. How to remove invalid characters from filenames?
  99. How can I zip/compress a symlink?
  100. How to find the physical volume(s) that hold a logical volume in LVM

Leave a Comment