Today I tried to ssh into a production server of ours and I began receiving this error message:
ssh_exchange_identification: Connection closed by remote host
Stange, considering only 1 hour prior I was connecting just fine through ssh. After a few failed attempts in a row I finally got connected. After running a top command I noticed numerous sshd daemons running. As it turns out, a script kiddie was trying to brute force their way into the server. After checking the log files, I found that the source of the problem was coming from a single IP address. My next thought was, 'how do I stop this jackass?'.
IPTables
Luckily, Linux comes with a beautiful program called iptables. With this I was able to block all tcp access to the server from this one address. To do this, I used this command:
sudo iptables -A INPUT -i eth0 -p tcp -s "xxx.xxx.xxx.xxx" -j DROP
After this command, the log files stopped filling with the failed SSH attempts.
Resources:
- http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
- http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attackā¦
- http://www.cyberciti.biz/faq/linux-iptables-drop/
* note, the above command rule will be gone upon the next server restart.