iptables: defeat ssh brute-force attacks

Yesterday's post I described a method to do port-knocking protection with iptables only. Near the end of the post, I mentioned that using the same iptables recent module, one can effectively defeat the ssh brute-force attacks. At the time of writing I thought about a better implementation than the sample described in this link.

In short, the critical part for the iptables rules for the purpose would be:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl -j DROP

The first iptables command records the seen IP address into the recent table from where an incoming ssh connection is attempted. The second one will drop the packets if the ssh login attempts happen more than 3 times within last 60 seconds from the same IP, as it is considered as ssh brute-force attacks.

My idea of improvement to the matching rules is to add multiple levels of matching, i.e., more than 3 times within last 60 seconds as the first level matching, and we also blocks ssh loin attempts more than 5 times within last 2 minutes, as the second level matching. This second levels of matching will drop the more packets which happens slightly less frequent than the first-level attacks but happens more persistently, because the normal ssh logins will be less likely like this. Similarly we can add even levels, e.g., more than 10 times within last 5 minutes, and more than 15 times within last 10 minutes, etc, etc, etc.

After bit googling, I found this is already mentioned by someone, with clearer sample here: