Re: Dictionary sshd attacks

From: cooper2k4 (
Date: 08/18/05

Date: Thu, 18 Aug 2005 13:23:39 +0200

Brian Hall wrote:
> On 2005-07-17, Michael Heiming wrote:
>>In Wayne <wayne@nospam.4me.invalid>:
>>>Is it possible to have sshd or some other daemon recognize
>>>a dictionary attack in progress, and to "shun" that IP for
> There was a recent posting about this on slashdot, and several people
> posted iptables methods of dealing with this, using the "recent" rule.
> "Rundown on SSH Brute Force Attacks"
> This is what was posted (there was a more complicated one that allowed
> for ssh IP whitelisting):
> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
> --hitcount 3 --seconds 600 -j LOG --log-prefix "SSH attack: "
> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --rcheck
> --hitcount 3 --seconds 600 -j DROP
> -A PREROUTING -m tcp -p tcp -d $EXTERNAL --dport 22 -m recent --set -j DNAT
> --to-destination $INTERNAL:22
> -A OUTPUT -m tcp -p tcp -d $EXTERNAL --dport 22 -j DNAT --to-destination

I wonder why I can't use the limit module? The following two lines block SSH
connections from the beginning. Why does it not count to 5?

$IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -m state --state NEW -m limit
--limit 5/min -j ACCEPT
$IPTABLES -i eth0 -A INPUT -p tcp --dport 22 -j DROP