Use iptables to prevent ssh Brute force cracking and control the network speed

Brute-force ssh cracking prevention has always been a problem. in the face of the red ssh logon failure records displayed on the full screen in auth. log displayed by Vim, you can either tolerate or change the port number or fail2ban. Changing the port number will obviously cause a lot of inconvenience, especially when there are many users. Fail2ban was also used quite well before, but you need to manually edit the configuration file and read the length Anti-ssh Brute force cracking
For a long time, in the face of the red ssh logon failure records displayed on the full screen in auth. log displayed in Vim, either tolerate, change the port number, or fail2ban. Changing the port number will obviously cause a lot of inconvenience, especially when there are many users. Fail2ban used to work well before, but you need to manually edit the configuration file, read the long notes, and carefully modify the parameters. After configuration, you will often receive emails sent by fail2ban. These are tolerable. One day, when a user accidentally fails to log on multiple times, the IP address is blocked. I deleted the corresponding project from/etc/hosts. deny, but it is useless, because fail2ban will check auth. log, and then add the IP address back ......
Two days ago, I was looking for a speed limit command, but I accidentally saw the command to prevent ssh Brute force cracking, as shown below:
Iptables-I input-p tcp -- dport 22-I eth0-m state -- state NEW-m recent -- set
Iptables-I input-p tcp -- dport 22-I eth0-m state -- state NEW-m recent -- update -- seconds 60 -- hitcount 4-j DROP
The first sentence is that for external data, if it is TCP, the target port number is 22, the network interface is eth0, and the status is new connection, then add it to the latest list. In the second sentence, if such a connection is in the recent list and reaches or exceeds four times in 60 seconds, the data is discarded. -M indicates the module.
That is to say, If someone tries to log on to ssh four times from an IP address within one minute, it will be blacklisted and the connection will be dropped later.. This is an excellent rule for dealing with ssh Brute force cracking. You do not need to modify openssh or start a service that is easy to recruit. However, I don't know how long the IP address will be reconnected.
I am using a Beijing IP address and trying to log on via ssh. After the command is executed, the red failure message in auth. log appears again four times, and then no longer appears. Later, I checked that although I could still see a lot of red, it was not as dense as before. More importantly, the interval between each of the four logon failure messages is large. The effect is remarkable.


Network speed limit
This is my intention to search iptables related information this time. This is the reason. during local testing, we often find that the local connection speed is too fast. Websites cannot reflect their real user experience. network programs cannot test their performance in poor network conditions. due to the small scale of tests, some competing modes that are easy to appear during actual use cannot be reproduced because the operation is too fast.
I have long known that iptables can speed up the forwarding traffic. Since it is iptables rather than some commercial software, there is no reason for it to only limit external traffic rather than local interface lo. The following command is obtained:
Iptables-a input-s 127.0.0.1-p tcp-d 127.0.0.1 -- dport 6900: 6901-m limit -- limit 1/s-j ACCEPT
Iptables-a input-s 127.0.0.1-p tcp-d 127.0.0.1 -- dport 6900: 6901-j DROP
These two rules are combined to indicate that for all TCP connections from 127.0.0.1 to Port 6900 to Port 6901 of the same address, only one packet is accepted per second, and redundant data packets are discarded. The following sentence is necessary. if it is not written, it will not work, because the default policy is accept.
Note that if the domain name localhost is used, IPv6 address: 1 rather than 127.0.0.1 may be used.