Return to SSH guides

Rate limiting SSH



  Rate limiting SSH access is an inexpensive means to effectively reduce over-frequent attempts to authenticate with the daemon, saving on system resources and slowing brute force attacks.

For example, instead of permitting 100 parallel connections from a single IP attempting to authenticate with the SSH daemon, all but 3 of those connections could be dropped. Any additional connections from that same IP thereafter will also be dropped until the cool down period has passed. This can significantly reduce log spam and a non-trivial amount of CPU resources utilized by the SSH daemon when having to handle these failed attempts.

Note
Rate limiting may not be very effective against a botnet since the the IP address can be frequently rotated.

The following commands will utilize Iptables to configure our rules. We will add our rules to the PREROUTING iptables chain through the mangle filter. We will also include logging so that we can monitor dropped requests if it's necessary.

Our rule will drop packets intended for SSH if it meets or exceeds a rate of 4 connections (hitcounts) per 60 seconds. You can adjust the "hitcount" value if you would like to modify the threshold.

iptables -t mangle -N SSH_RATE_LIMIT
iptables -t mangle -A SSH_RATE_LIMIT -m limit --limit 60/min -j LOG --log-prefix "Dropped SSH Packets: " --log-level 4
iptables -t mangle -A SSH_RATE_LIMIT -j DROP
iptables -t mangle -A PREROUTING -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --set
iptables -t mangle -A PREROUTING -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j SSH_RATE_LIMIT

The following affects IPv6.

ip6tables -t mangle -N SSH_RATE_LIMIT
ip6tables -t mangle -A SSH_RATE_LIMIT -m limit --limit 60/min -j LOG --log-prefix "Dropped SSH Packets: " --log-level 4
ip6tables -t mangle -A SSH_RATE_LIMIT -j DROP
ip6tables -t mangle -A PREROUTING -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --set
ip6tables -t mangle -A PREROUTING -p tcp --dport 2222 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j SSH_RATE_LIMIT

  • Save the configuration for Debian systems.

  • netfilter-persistent save
    netfilter-persistent reload

  • Save the configuration for RHEL / CentOS systems.

  • service iptables save

  •  For Debian systems you can locate the logged dropped connections in /var/log/syslog.

  •  For RHEL and CentOS systems you can locate the logged dropped connections in /var/log/messages.



Notes

You can list your iptables rules with the following command:

iptables --table mangle --list

You can also specify a particular chain:

iptables --table mangle --list SSH_RATE_LIMIT

To remove a chain from iptables, you can run the following:

iptables --table mangle --flush SSH_RATE_LIMIT
iptables --table mangle --delete-chain SSH_RATE_LIMIT

If you would like to remove a specific rule added to a chain without flushing other rules, you can use the following method.

List the rules of a chain with line numbers included. Note the line number belonging to the rule you would like to remove and include it in the delete command.

iptables --table mangle --list PREROUTING --line-numbers

Chain PREROUTING (policy ACCEPT)
num  target          prot opt source               destination
1                    tcp  --  anywhere             anywhere             tcp dpt:es-elmd ctstate NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
2    SSH_RATE_LIMIT  tcp  --  anywhere             anywhere             tcp dpt:es-elmd ctstate NEW recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source mask: 255.255.255.255

iptables --table mangle --delete PREROUTING 2


References

1. https://www.cloudflare.com/learning/bots/what-is-rate-limiting/

[Return to top]

Last modified date: 2021-02-16

Copyright © 2020-2021 emhmki.org All Rights Reserved.