Defending Your Linux Server: Preventing SSH Brute Force Attacks with Iptables Rules

Introduction

Securing your Linux server against unauthorized access is crucial for maintaining its integrity and protecting sensitive data. SSH (Secure Shell) is a common target for attackers attempting to gain entry through brute force attacks. In this blog post, we’ll explore how to fortify your server’s defenses using iptables rules to thwart SSH brute force attacks.

The Threat of SSH Brute Force Attacks

SSH brute force attacks involve automated attempts to guess SSH login credentials, typically through a large number of password guesses. These attacks can compromise server security, leading to data breaches, system instability, and potential downtime.

Iptables Rules for SSH Security

Iptables, a powerful firewall tool for Linux systems, enables administrators to define custom rules for filtering network traffic. Let’s implement iptables rules to protect SSH against brute force attacks:

1. Limit Failed Login Attempts

-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
  

This rule establishes a connection tracking entry for new SSH connections and updates it if there are more than 3 connections within 60 seconds. If the threshold is exceeded, further connections are dropped.

2. Log Suspicious Activity

-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 3 -j LOG --log-prefix "SSH Brute Force: "
  

This rule logs failed SSH login attempts that exceed 3 connections within 60 seconds, providing visibility into potential brute force attacks. The log prefix helps identify relevant entries in the system logs.

3. Reject Excessive Authentication Requests

-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
  

This rule rejects incoming SSH connections if more than 3 connections are detected within 60 seconds, sending a TCP reset packet to the sender. By enforcing rate limiting, it reduces the effectiveness of brute force attacks. These rules log and drop additional SSH connections that exceed the specified threshold, further enhancing the server’s security against brute force attacks.

How to Apply These Rules

Adding these iptables rules to your server is straightforward. Follow these steps:

1. Open a terminal on your Linux server.
2. Ensure you have root or sudo privileges.
3. Enter the commands listed below to configure the rules:

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
  

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 3 -j LOG --log-prefix "SSH Brute Force: "

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset

Conclusion

By implementing these iptables rules, you can strengthen your server’s defenses against SSH brute force attacks. Remember to regularly review and update your firewall rules to adapt to evolving security threats. Stay proactive in safeguarding your Linux server to ensure optimal performance and data protection.

Support Techcratic

If you found this guide helpful and would like to support Techcratic, consider making a Bitcoin donation. Your contributions help us continue to provide high-quality content and resources. You can donate to the following Bitcoin address:

Bitcoin Address: bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge

If you wish to donate through other means, please contact us at the Techcratic Contact form.