# SSH brute force attack defense
# Based on http://blog.andrew.net.au/2005/02/17

IPT="/sbin/iptables"
OUT=echo


 ### Chain SSH_whitelist ###

$OUT creating Chain SSH_whitelist holding IP addresses that are not subject to the limitation
$IPT -t filter -N SSH_whitelist

$OUT whitelisting solar.trillke.net
$IPT -t filter -A SSH_whitelist --source 213.146.112.72 --protocol tcp  --destination-port ssh -m recent --remove --name SSH -j ACCEPT
$OUT whitelisting central.merlinux.de
$IPT -t filter -A SSH_whitelist --source 81.14.224.80   --protocol tcp  --destination-port ssh -m recent --remove --name SSH -j ACCEPT


 ### Chain SSH_bruteforce ###

$OUT creating Chain SSH_bruteforce
$IPT -t filter -N SSH_bruteforce

# the whitelist for checking; anything not accepted there will return
$OUT Set up a 'recent' table with the name SSH and send everything through
$IPT -t filter -A SSH_bruteforce  -m recent --set --name SSH -j SSH_whitelist

# Anything connecting 4 times or more within a minute (as listed on the
# SSH recent table) gets logged with a special prefix
$OUT log anything connecting 4 times or more within a minute
$IPT -t filter -A SSH_bruteforce  -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "

$OUT Anything connecting 4 times or more within a minute gets dropped
$IPT -t filter -A SSH_bruteforce  -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP


# Rule that connects INPUT chain with SSH_bruteforce chain
$OUT Send all new SSH connections through the SSH_bruteforce chain
$IPT -t filter -A INPUT --protocol tcp --destination-port ssh --match state --state NEW -j SSH_bruteforce