To save the firewall rules in the future, only need to execute:Įcho -e'#!/bin/bash\n/sbin/iptables-restore /etc/network/if-pre-up.d/iptablesĬhmod +x /etc/network/if-pre-up.d/iptables Note: If it is a CentOS7 system, it is not an iptables firewall. After the power is started, the saved firewall rules will be automatically read.
The following code is to configure the firewall to start and save the firewall rules. I suggest you do it all to avoid restarting the VPS, the SSH port firewall is not open and the server cannot be connected. Then it’s not clear whether you have configured the firewall to boot and read the firewall configuration file. Iptables -I INPUT -p tcp -dport 23456 -j ACCEPT # CentOS7 uses systemctl restart rviceįirst we add firewall rules (example port is 23456, change it yourself): # If prompted that the service does not exist, use /etc/init.d/sshd restart # The default port 22 configuration, note that this default port 22 configuration is not deleted now to avoid failure to connect to SSH after modification We add a new port we want to use under the default SSH port configuration, for example 23456 # vi After opening the file, press the I key to enter the editing mode, then add the port configuration according to the following requirements, and finally press the ESC key to exit the editing mode and enter :wq to save and exit the vi editor. If there is no problem, we will delete the default port 22 (the reason for this is that if Modifying the port directly may cause you to be unable to connect to SSH after some problems occur, which is miserable). The blocked IPs are stored in /proc/net/ipt_recent/SSH.To be safe, we first add an SSH port and add the corresponding firewall rules, and then try to connect to the server with this new port. Also, the order of the checks on the NEW ssh connections have been fixed based on the suggestions in the comments. The changes improve efficiency by moving all the RELATED and ESTABLISHED filtering to the beginning of the checks.
Iptables -A INPUT -p tcp -m tcp -dport 22 -m state -state NEW -j ACCEPT Iptables -A INPUT -p tcp -m tcp -dport 22 -m state -state NEW -m recent -update -seconds 60 -hitcount 4 -rttl -name SSH -j DROP Iptables -A INPUT -p tcp -m tcp -dport 22 -m state -state NEW -m recent -set -name SSH # new inbound ssh, protecting against brute-force attacks Iptables -A INPUT -m state -state ESTABLISHED,RELATED -j ACCEPT UPDATE: After some Googling, and after taking into account a lot of good advice from the comments, as well as from John and Smooge, here’s how I’ve rewritten my firewall to protect against brute force ssh attacks. I recently had to move sshd back to port 22, and I quickly tired of seeing 5k failed login attempts every day.
In the past, I’ve avoided this problem simply by running sshd on a non-traditional port, which makes all the automated scripts that attack port 22 fail. Anyone who runs their own Linux server knows the annoyance of looking through the log files to see automated SSH brute force attacks trying to find a login to the machine.