Feed on

Rate limited SSH

Today’s perl frustration: swatch. 3.1.1’s man page states it supports thresholds in N seconds. This is contradicted by a Debian bug report that claims it’s a bad man page and to use “throttle threshold” instead. Looking at the code, it mentions “^threshold” in several places so that’s not even right. Turns out threshold per-second isn’t even implemented! Upgraded to 3.2.3, it works beautifuly now.

Still no travel trailer. Getting financing is taking much longer than I expected. It’s certainly not like walking in one day and purchasing a car. BoA basically laughed at me, giving me some vague reason and refusing to offer an explanation of what it meant. I got burned by the interest rate on the truck, and to this day still hold a grudge. So I’ve been leary at what the dealer’s lenders could come up with. After running the numbers, the difference between 8% and a relatively insane 15% just isn’t that much on the principle I want to write paper on, especially if I’m paying it off in 2-3 years.

tifa receives thousands of ssh brute-forced attack daily and I finally got around to doing something about it. Turns out I can use iptables’ “recent” module. Here, ssh connections are blocked if there are more than three attempts from the same address in sixty seconds (assuming default DROP action):

-A INPUT -p tcp -m tcp --dport 22 -m recent --set --name ssh --rsource 
-A INPUT -p tcp -m tcp --dport 22 -m recent ! --rcheck --seconds 60 \
   --hitcount 4 --name ssh --rsource -j ACCEPT

I like this much more than other bolt-on solutions that do things like appending to /etc/hosts.allow or add iptables drop rules. While those certainly work, they clutter up and aren’t self-cleaning.

Leave a Reply