# Let's jump to the SSH_Brute_Force chain if this is a new connection that is not from my IP address.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s ! $MYIPADDRESS -j SSH_Brute_Force
# If there have not been 4 NEW connection attempts from this source IP address in the last 60 secons let's return to the INPUT chain.
iptables -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60 -m recent --hitcount 4 --set --name SSH -j RETURN
# Well, the NEW connection has been seen so let's update the SSH recent list.
iptables -A SSH_Brute_Force -m recent --name SSH --update
# I like to log on a line by it's self so I don't have to remember to do it on my last line prior to the end of my script.
iptables -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt: "
# Let's send the person that is trying to SSH in to us to the TARPIT target and make them think twice before they try again.
# TARPIT will force the site that is SSHing in to us to timeout the connection. Sure stick you hand in my port, I'll grab hold of it and not let go,
# you will ahve to chew your arm off and grow a new one and try again.
iptables -A SSH_Brute_Force -j TARPIT
# I can be a mean vindictive SoB (Sweet Old Buzzard. NOT!)
Hi all
Thanks to Grant for the info above, but for some funny reason I cant get the following to work
iptables -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60 -m recent --hitcount 4 --set --name SSH -j RETURN
this what I get back:
=====================
[root@abc root]# iptables -A SSH_Brute_Force -m recent --name SSH ! --rcheck --seconds 60 -m recent --hitcount 4 --set --name SSH -j RETURN
iptables v1.2.9: Unknown arg `4'
Try `iptables -h' or 'iptables --help' for more information.
[root@ns root]#
Regards Brent Clark
