--- On Wed, 3/30/11, nagygabor88 <nagygabor88@xxxxxxxx> wrote: > From: nagygabor88 <nagygabor88@xxxxxxxx> > Subject: a GOOD idea to harden OpenSSH! > To: "OpenSSH list" <secureshell@xxxxxxxxxxxxxxxxx> > Date: Wednesday, March 30, 2011, 12:19 PM > > > if a user wants to connect to an ssh server then he have to > wait a couple of seconds, then he can write his passphare. > the "couple of seconds" is defined in the sshd config, > e.g.: 2 seconds > the method musn't show that the user have to wait 2 seconds > to write his passphare. > This can already be similarly done using iptables, with entries such as: $IPTABLES -N SSH_CHECK $IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK $IPTABLES -A SSH_CHECK -m recent --set --name SSH $IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " $IPTABLES -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j DROP What this does: If I get more than 5 hits within 180 seconds, block them for 180 seconds.
