These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for block login for ip if 3 faild login on the new forum.
Web Hosting and Cloud Computing Control Panels
Howdy,
SSH itself doesn't support that... however, you can install software such as fail2ban, which watches your logfiles, and will ban IP addresses after so many failed login attempts.
-Eric
Take a look at this, I posted this a few years ago.
Regards, Leif (Blueforce)
Hi guys!
Here are a few nice things to do in your firewall to get rid of lot of brute force attacks. I have used them for many years. I saw in the thread that someone was looking for this, I think anyway, I posted this in the forum years ago and only parts of my original post managed to survive Virtualmins webpage updates over the years. So, here it comes again if someone is interested.
First of all I have set the "MaxAuthTries" to 2, which gives me only three tries to get the password right.
If i connect to SSH and try to log in with incorrect user or password i get disconnected, if I then try to restart the session the iptables settings have dropped my IP for the preferred time, in my case I use 300 sec. I now have to wait these seconds until I'm able to start a new session from the same IP. And even if I just start a SSH session without trying to log in and close it, my IP gets dropped for the preferred time.
Make sure that these rules is in this order, and if you have an existing rule for port 22 and want to keep it these has to go before. These rules will have NO effect if you have a ACCEPT for port 22 in front of these. You have to change the xxx.xxx.xxx.xxx to your server IP.
Rule 1 ------------------------------------------------------------------------------
From command line:
iptables -A RH-Firewall-1-INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
From Webmin:
Action to take: Accept
Destination address or network: Equals xxx.xxx.xxx.xxx
Network protocol: Equals TCP
TCP flags set: Does not equal (First row) SYN
TCP flags set: Does not equal (Second row) SYN ACK RST
Rule 2 ------------------------------------------------------------------------------
From command line:
iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 300 --name DEFAULT --rsource -j DROP
From Webmin:
Action to take: Drop
Incoming interface: Equals eth0
Network protocol: Equals TCP
Destination TCP or UDP port: Port(s) 22
Connection states: Equals New connection(NEW)
Additional IPtables modules: recent
Additional parameters: --update --seconds 300 --name DEFAULT --rsource
Rule 3 ------------------------------------------------------------------------------
From command line:
iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name DEFAULT --rsource -j ACCEPT
From Webmin:
Action to take: Accept
Incoming interface: Equals eth0
Network protocol: Equals TCP
Destination TCP or UDP port: Port(s) 22
Connection states: Equals New connection(NEW)
Additional IPtables modules: recent
Additional parameters: --set --name DEFAULT --rsource
Regards,
Leif (Blueforce)
I have used Config Server FIrewall for several years now and I must say its been fantastic. I dont know of, and hope, there are no known security issues with it, because I dont read much reference to it when people ask these sorts of questions, but it has this feature and a lot more. I mainly use it to block all ports except web and email, then use a list if IP addresses and dynamic hostnames to the allow list. So no one except approved people can login. but it also has a setting "Enable login failure detection of sshd connections"