SSH Brute Force

hci · February 17, 2014, 9:25pm

Here is a simple setup for IPTABLES to limit brute force SSH attacks.

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix 'SSH attack: ’

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP

Is there a simple equivalent for Mikrotik?

efaden · February 17, 2014, 9:41pm

http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

zervan · March 30, 2014, 8:40pm

Yes, but it is not good enough, see this discussion: http://forum.mikrotik.com/t/max-login-attempts-per-ssh-session/71365/1

coylh · April 3, 2014, 1:22am

You could use a simple single port knock to avoid dumb ssh scanners filling up your log:

/ip firewall filter
add action=jump chain=input dst-port=22,12345 jump-target=SSH protocol=tcp
add action=add-src-to-address-list address-list="SSH Allowed" address-list-timeout=1h chain=SSH dst-port=12345 protocol=tcp
add action=drop chain=SSH dst-port=12345 protocol=tcp
add chain=SSH dst-port=22 protocol=tcp src-address-list="SSH Allowed"
add action=drop chain=SSH dst-port=22 protocol=tcp