Iptables Rules To Block SSH Brute Force Attack


SSH brute force attack means cryptanalytic attack, that is used against any encrypted data. In the brute force attack, attackers scan for SSH daemons exposed to the Internet. The scans can be done by bots; usually automated scans target the regular SSH TCP 22 port. Assuming the TCP port22 is found open, service identification is attempted. SSH banners can expose info about the SSH service and the underlying OS. Based on the information gathered attackers try to discover valid username and password combinations through SSH brute force attacks; these are not quite brute force attacks, rather they use weak passwords dictionaries. A prime target will be the root account. If root login over SSH is allowed with a weak password, attackers may end up in complete control of the exposed system.


Block SSH brute force attack via two simple Iptables rule.

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

We Would Like To Hear From You..