Joel Liu's Library tagged Security →  View Popular

SSH time-lock tricks

You can also use different iptables parameters to limit connections to the
SSH service for specific time periods. You can use the /second, /minute, /hour,
or /day switch in any of the following examples.

In the first example, if a user enters the wrong password, access to the SSH
service is blocked for one minute, and the user gets only one login try per
minute from that moment on:

~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m
limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp
-m state --syn --state NEW --dport 22 -j DROP

In a second example, iptables are set to allow only host 193.180.177.13 to
connect to the SSH service. After three failed login tries, iptables allows the
host only one login try per minute:

~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state
NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~#
iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22
-j DROP

~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m
limit --limit 1/minute --limit-burst 1 -j ACCEPT
~# iptables -A INPUT -p tcp
-m state --syn --state NEW --dport 22 -j DROP

In a second example, iptables are set to allow only host 193.180.177.13 to
connect to the SSH service. After three failed login tries, iptables allows the
host only one login try per minute:

~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state
NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT
~#
iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22
-j DROP