Skip to main content

IPTables to the Rescue

Today I tried to ssh into a production server of ours and I began receiving this error message:

  1. ssh_exchange_identification: Connection closed by remote host

Stange, considering only 1 hour prior I was connecting just fine through ssh. After a few failed attempts in a row I finally got connected. After running a top command I noticed numerous sshd daemons running. As it turns out, a script kiddie was trying to brute force their way into the server. After checking the log files, I found that the source of the problem was coming from a single IP address. My next thought was, 'how do I stop this jackass?'.

IPTables

Luckily, Linux comes with a beautiful program called iptables. With this I was able to block all tcp access to the server from this one address. To do this, I used this command:

  1. sudo iptables -A INPUT -i eth0 -p tcp -s "xxx.xxx.xxx.xxx" -j DROP

After this command, the log files stopped filling with the failed SSH attempts.

Resources:

* note, the above command rule will be gone upon the next server restart.


Comments