Securing ssh by iptables rules – Jan Taczanowski's tech blog

I secured my ssh server in simple way – with iptables rules which will be blocking attackers. I setup my iptables in such way, that it is allowing only one tcp syn packet to ssh port per minute from one ip address. With aditional configuration of sshd daemon the rules will allowing for once login attempt per hour.
iptables rules:

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I INPUT -i eth0 -m tcp -p tcp --dport 22 -m state --state NEW -m hashlimit \
--hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-htable-expire 3600000 --hashlimit-mode srcip \
--hashlimit-name ssh -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -I INPUT -i eth0 -m tcp -p tcp --dport 22 -m state --state NEW -m hashlimit \

--hashlimit-upto 1/hour --hashlimit-burst 1 --hashlimit-htable-expire 3600000 --hashlimit-mode srcip \

--hashlimit-name ssh -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP

After we reaches this one new connection per hour, the hashlimit-htable-expire rule starts to counting 60 minutes (3600000ms). In this time you can not connect again to ssh.

MaxAuthTries in /etc/ssh/sshd_config – this is important, with this, sshd will be closing ssh connections after authentication failure, thus attacker will have to create new ssh connection (and tcp connection) to try again. This fact (new syn packet) will by noticed by iptables.

MaxAuthTries 3

1	MaxAuthTries 3

If you use only public key authentication, you can set MaxAuthTries to 1 because this is first authentication method provided by OpenSSH server, also ssh clients firstly tries authenticate through public key. Other authentication methods are on further places.

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey

With MaxAuthTries set to 1 only fist authentication method will work – usually publickey.

You can check the blocked addresses:

router:~ # cat /proc/net/ipt_hashlimit/ssh
16 216.98.212.11:0->0.0.0.0:0 90670848 108000000 36000000
338 42.7.26.55:0->0.0.0.0:0 80364416 108000000 36000000
553 116.31.116.50:0->0.0.0.0:0 31482240 108000000 36000000
593 123.183.209.134:0->0.0.0.0:0 32435072 108000000 36000000

router:~ # cat /proc/net/ipt_hashlimit/ssh

16 216.98.212.11:0->0.0.0.0:0 90670848 108000000 36000000

338 42.7.26.55:0->0.0.0.0:0 80364416 108000000 36000000

553 116.31.116.50:0->0.0.0.0:0 31482240 108000000 36000000

593 123.183.209.134:0->0.0.0.0:0 32435072 108000000 36000000

This rules very limited strength of attacks on my ssh.

Please test this first with another server access!

3 Comments

!!!WARNING!!!

NEVER set “MaxAuthTries 1” !!!
This (after sshd reload/restart) will reach to LOST OF ACCESS to your server!
I haven’t tried this with key authentication, but it blocks password-based access for sure!

Dear author, have you tried this setting yourself before writing this post?!

Hi!
I’m sorry that you lost access to your server

Yes, I checked this before I described it here and I’m using it with MaxAuthTries 1 constantly on my severs.
Maybe it depends on the ssh client.
You can try with –hashlimit-burst 2. Of course, if you have other methods of accessing to server.
I added a warning in the post to test this first with another server access, and I extended the describe of iptables rules.

Regards!
Janek

Thank you for the reply.
I had a console access to the VPS

By the way, I also tested MaxuthTries setting on the OpenBSD 6.2, and the behavior was the same – lost of access when setting this options to “1”.
Very strange that there’s no any warning in the sshd_config and in the man page.

Best regards, Alexey

Leave a Reply to Alexey Cancel reply