How to temporarily ban an IP address, after "n" number of SSH login failures?

ssh iptables login pam limit

12,780

Solution 1

Question 1

This can be done with the module hashlimit.

iptables -A INPUT -p tcp --dport 22 -m hashlimit \
  --hashlimit-mode srcip --hashlimit-above 3/minute -j DROP

Question 2

Netfilter does not see login failures only connections. You need a tool (like Fail2ban) which is active on both levels. You could create a chain with blocked IPs and run a script after each login failure which would do something like

iptables -A blocked_ips -s $evil_ip -j DROP
sleep 5
iptables -D blocked_ips -s $evil_ip -j DROP

Solution 2

Look at iptables

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 5 --hitcount 2 -j DROP

It will permit only 1 new connection per IP per 5 seconds.

Solution 3

The component in charge of the authentication on a GNU/Linux system is PAM (Pluggable Authentication System).

You can configure it by adding modules. One interesting module in your case could be pam_tally. It's used to limit the number of login attempts and ban users.

If you add this line in one of the /etc/pam.d/ configuration file:

auth     required       pam_tally.so deny=1 unlock_time=5 per_user

you prevent a user who failed to login to attempt again within the next five seconds. So, you limit the number of connection attempts per minute to 12.

References:

Solution 4

Deny 5 seconds after 1 login attempt fail

pam_tally.so:

This module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. pam_tally comes in two parts: pam_tally.so and pam_tally. The former is the PAM module and the latter, a stand-alone program. pam_tally is an (optional) application which can be used to interrogate and manipulate the counter file. It can display users’ counts, set individual counts, or clear all counts. Setting artificially high counts may be useful for blocking users without changing their passwords. For example, one might find it useful to clear all counts every midnight from a cron job. The faillog(8) command can be used instead of pam_tally to to maintain the counter file.

Normally, failed attempts to access root will not cause the root account to become blocked, to prevent denial-of-service: if your users aren’t given shell accounts and root may only login via su or at the machine console (not telnet/rsh, etc), this is safe

Step 1# edit “/etc/pam.d/system-auth” and append following line below “pam_env.so”

auth required pam_tally.so deny=1 lock_time=5
account required pam_tally.so reset

after configuring above file try to login with wrong password of any user here is sample output of my logfile

logs:

tail -f /var/log/secure
Jun 04 15:59:13 station01 su: pam_tally(su-l:auth): user test (502) has time limit [167s left] since last failure
Jun 26 16:01:35 station01 sshd[13890]: pam_tally(sshd:auth): user test1 (503) has time limit [174s left] since last failure.
Jun 26 16:01:37 station01 sshd[13890]: Failed password for test1 from 192.168.0.13 port 54398 ssh2

Solution 5

Inside you /etc/ssh/sshd_config file there is a directive that I believe will help you.

MaxAuthTries 6

Here is the MaxAuthTries defination from the man pages:

MaxAuthTries - Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. The default is 6.

View more solutions

12,780

Author by

Edgar

Updated on September 18, 2022

Comments

Edgar over 1 year

How can I limit SSH login attempts per minute per IP ?

I want to disable login attempts during 5 seconds after a failure. Is this possible ? I'm not talking about ban a user after parsing logs like Fail2ban.
lgeorget almost 11 years

... but it's not a limit per minute.
Hauke Laging almost 11 years

But that is on a much higher level, consuming orders of magnitude more CPU load than throwing away connection requests in Netfilter.
Edgar almost 11 years

Why --hitcount 2 and not 1 ?
lgeorget almost 11 years

That's true. If the goal is only to protect SSH, I'd prefer the netfilter option too. But it's never a bad idea to use two security mechanisms for the same purpose as long as they don't conflict with each other.
Edgar almost 11 years

@lgeorget : Use pam_tally and netfilter/iptables is the best answer to my problem ?
lgeorget almost 11 years

Yes, in my opinion, that'd definitely be a good combination to protect your system.
rush almost 11 years

@Edgar because you need to drop the second new packet, not the first one. --hitcount indicates the packet number to process greater than or equal to the given value.
ivanleoncz over 4 years

Good technique, indeed.
Antonello almost 4 years

using the answer on Q1 (hashlimit) block my terminal after a few seconds, even on currently connected session..