#!/bin/bash

#    Countermeasures to ssh dictionary attacks.
# I have strong passwords so I can afford to play.
# IPs that make 5 connections in 10 minutes are put in the tarpit.
# There they are treated to a very bad connection. If the attacker is
# single-threaded this will slow him down considerably. If the attacker
# is multi-threaded, then at least we've used up some of his system
# resources.
#
# IPs get out of the tarpit by sending no SSH packets for 10 minutes.
#

iptables -N SSH

# Count number of connection attempts via syn packets.
iptables -A SSH -p TCP --tcp-flags SYN,RST,ACK SYN \
    -m recent --name tarpit --set

# Accept all flags to do with establining or tearing down connections:
iptables -A SSH -p TCP ! --tcp-flags SYN,RST,ACK,FIN,RST NONE \
    -j RETURN

# If there have been less than 5 connection attempts in 10 minutes,
# then accept all packets.
iptables -A SSH \
    -m recent --name tarpit ! --rcheck --seconds 600 --hitcount 5 \
    -j RETURN

# Ok, the tarpit:
# Rate-limit to one packet every 30 seconds. This is enough to keep most
# tcp connections open, but will slow the attacker down considerably
iptables -A SSH -m recent --name tarpit --rcheck --seconds 30 \
    -j DROP

# We let a trickle through. 
# The IP stays in the tarpit until it stops sending SSH packets:
iptables -A SSH \
    -m recent --name tarpit --set

# end of chain


# enable the chain:
iptables -A INPUT -p tcp --dport 22 -i eth0 -j SSH



# We can still do better. By setting MSS low we can trick the attacker into
# sending smaller packets, thus increasing the effect of rate-limiting
# the packets.

iptables -N MMSLOW

iptables -A MMSLOW \
    -m recent --name tarpit ! --rcheck --seconds 600 --hitcount 5 \
    -j RETURN

iptables -A MMSLOW -p tcp --tcp-flags SYN,RST SYN \
    -j TCPMSS --set-mss 64

# end of chain

iptables -A OUTPUT -p tcp --sport 22 -j MMSLOW