How to Block SSH Brute Force Attacks with IPTables

If you manage a Linux server, protecting it against unauthorized access is paramount. One common security threat is SSH brute force attacks, where attackers attempt numerous login attempts using different password combinations. One effective defense is using IPTables, the built-in Linux firewall, to mitigate these attacks. This tutorial will guide you through configuring IPTables to block SSH brute force attacks efficiently and enhance the security of your Linux server.

Understanding IPTables and SSH Brute Force Attacks

IPTables is a user-space utility program that allows a system administrator to configure the IP packet filter rules of the Linux kernel firewall. The SSH brute force attack is a trial-and-error method used by attackers to decode encrypted data such as passwords by systematically trying every possible combination.


  • A Linux server with IPTables installed
  • Root or sudo privileges
  • Basic knowledge of SSH and Linux command line

Step 1: Check Existing IPTables Configuration

Before making changes, check the existing IPTables rules to avoid any conflicts:

sudo iptables -L

This command lists all current rules set up in IPTables.

Step 2: Set Up Basic SSH Rules

Ensure that your IPTables configuration allows legitimate SSH access. It’s critical to keep your own SSH connection while blocking unauthorized attempts:

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

These rules allow incoming and outgoing packets on the port typically used by SSH, which is port 22.

Step 3: Implement Rules to Prevent SSH Brute Force Attacks

To guard against SSH brute force attacks, you should limit the rate of incoming connections. Here’s how to configure IPTables to restrict repeated SSH attempts:

  1. Drop invalid packets:
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  1. Block connections that attempt more than three SSH login attempts within 60 seconds:
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

This configuration uses the recent module to track how often a specific IP address attempts to connect to port 22. If there are more than three attempts within 60 seconds, further connection attempts from that IP address will be dropped for the next 60 seconds.

Step 4: Save the IPTables Rules

Ensure your rules persist after a reboot:

For Debian/Ubuntu:

sudo sh -c "iptables-save > /etc/iptables/rules.v4"

For CentOS/RHEL:

sudo service iptables save

Step 5: Monitoring and Logs

Monitor your IPTables rules to observe how they handle SSH traffic and modify them as necessary to ensure legitimate access isn’t unintentionally blocked:

sudo iptables -L -v

It’s also insightful to periodically check the server logs for unauthorized access attempts:

sudo grep SSH /var/log/auth.log


Configuring IPTables to block SSH brute force attacks adds a robust layer of security to your Linux server. By combining rate-limiting connection attempts and monitoring your server’s access, you can significantly reduce the risk of malicious access.

Remember, the security landscape is always evolving, and as such, continuously update and audit your server’s security measures.

Recent Articles

Related Stories

Stay on op - Ge the daily news in your inbox