Rate limiting SSH
Rate limiting SSH access is an inexpensive means to effectively reduce over-frequent attempts to authenticate with the daemon, saving on system resources and slowing brute force attacks.
For example, instead of permitting 100 parallel connections from a single IP attempting to authenticate with the SSH daemon, all but 3 of those connections could be dropped. Any additional connections from that same IP thereafter will also be dropped until the cool down period has passed. This can significantly reduce log spam and a non-trivial amount of CPU resources utilized by the SSH daemon when having to handle these failed attempts.
| Note |
| Rate limiting may not be very effective against a botnet since the the IP address can be frequently rotated. |
The following commands will utilize Iptables to configure the necessary rules. You should add your rules to the PREROUTING iptables chain through the mangle filter. You can also include logging so that you can monitor dropped requests if it's necessary.
This rule will drop packets intended for SSH if it meets or exceeds a rate of 4 connections (hitcounts) per 60 seconds. You can adjust the "hitcount" value if you would like to modify the threshold.
iptables -t mangle -N SSH_RATE_LIMIT
iptables -t mangle -A SSH_RATE_LIMIT -m limit --limit 60/min -j LOG --log-prefix "Dropped SSH Packets: " --log-level 4
iptables -t mangle -A SSH_RATE_LIMIT -j DROP
iptables -t mangle -A PREROUTING -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --set
iptables -t mangle -A PREROUTING -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j SSH_RATE_LIMIT
The following affects IPv6.
ip6tables -t mangle -N SSH_RATE_LIMIT
ip6tables -t mangle -A SSH_RATE_LIMIT -m limit --limit 60/min -j LOG --log-prefix "Dropped SSH Packets: " --log-level 4
ip6tables -t mangle -A SSH_RATE_LIMIT -j DROP
ip6tables -t mangle -A PREROUTING -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --set
ip6tables -t mangle -A PREROUTING -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j SSH_RATE_LIMIT
- Save the configuration for Debian systems.
- Save the configuration for RHEL / CentOS systems.
netfilter-persistent save
netfilter-persistent reload
service iptables save
• For Debian systems you can locate the logged dropped connections in /var/log/syslog.
• For RHEL and CentOS systems you can locate the logged dropped connections in /var/log/messages.
Notes
You can list your iptables rules with the following command:
iptables --table mangle --list
You can also specify a particular chain:
iptables --table mangle --list SSH_RATE_LIMIT
To remove a chain from iptables, you can run the following:
iptables --table mangle --flush SSH_RATE_LIMIT
iptables --table mangle --delete-chain SSH_RATE_LIMIT
If you would like to remove a specific rule added to a chain without flushing other rules, you can use the following method.
List the rules of a chain with line numbers included. Note the line number belonging to the rule you would like to remove and include it in the delete command.
iptables --table mangle --list PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 tcp -- anywhere anywhere tcp dpt:es-elmd ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
2 SSH_RATE_LIMIT tcp -- anywhere anywhere tcp dpt:es-elmd ctstate NEW recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source mask: 255.255.255.255
iptables --table mangle --delete PREROUTING 2
References
1. https://www.cloudflare.com/learning/bots/what-is-rate-limiting/
[Return to top]