Gentoo Wiki


This article is part of the Security series.


SSH Basics

Tips & Tricks

Other Gentoo-wiki SSH



This document describes how to install the netfilter and iptables kernel modules and configure them to successfully thwart brute-force SSH attacks.

Rules from have been used in this article.

WARNING: Some sources ( , cache)) states, that after some period of time ipt_recent can drop connections that even doesn't exceed --seconds parameter and bug is still unfixed, so be careful.


Enable the following kernel modules:

Linux Kernel Configuration: Name of Kernel 2.6.25 Config

Networking --->

[*] Networking support 
    Networking options  ---> 
    [*] Network packet filtering framework
       [ ]   Network packet filtering debugging
       [*]   Advanced netfilter configuration
             Core Netfilter Configuration --->
             <M> Netfilter connection tracking
             <M> Netfilter Xtables support
             <M> "state" match support
             IP: Netfilter Configuration --->
             <M> IPv4 connection tracking support 
             <M> IP tables support 
             <M> recent match support
             <M> Packet filtering

Be sure to recompile your kernel and install the modules:

gmake; gmake modules_install

Add the following to /etc/modules.autoload.d/kernel-2.6:


Emerge IP Tables:

emerge iptables
Note: add iptables to the default runlevel ONLY after it is configured and confirmed to work, otherwise you may lock your self out of your system if you're not careful (if you're remotely connected)!
Note: if iptables complains about missing ipt_recent file, emerge iptables with "extensions" USE flag enabled
rc-update add iptables default


Load the modules:

echo nf_conntrack nf_conntrack_ipv4 xt_state ipt_recent \
ip_tables iptable_filter xt_tcpudp | xargs -n1 modprobe

Load the rules (Note the ethernet interface, eth0 in this case, may need to be changed to match your configuration):

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state \
--state NEW -m recent --update --seconds 30 --hitcount 1    \
--name ssh_attempt --rsource -j DROP 
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state \
--state NEW -m recent --set --name ssh_attempt --rsource 

These rules will allow one ssh connection per remote host every 30 seconds and drop subsequent attempts, which is sufficient to cause a timeout in automated ssh bruteforce attack scripts. It's also generous enough for the average user.

Note: firewall rule allowing connections on port 22 (if you use such rule) should be added after above rules. Otherwise connections will be accepted before being examined by above filters.

Small script to unblock yourself after successful login to box(note that counter doesn't reset after correct login completion). It takes connect/login time from connected user table and removes it from blocked IPs


DATE=`date +%H:%M`
echo -`who | grep ${DATE} | sed 's/.*(\(.*\)).*/\1/g'` > /proc/net/ipt_recent/ssh_attempt




Set SAVE_ON_STOP to no in /etc/conf.d/iptables to prevent accidentally wiping out your rules:

 # Save state on stopping iptables

Save the current IP Tables rules that were manually set during the Test step above:

 /etc/init.d/iptables save

Start the IP Tables service:

 /etc/init.d/iptables start
Retrieved from ""

Last modified: Wed, 03 Sep 2008 08:32:00 +0000 Hits: 6,698