Rate Limiting and Brute Force Protection

2 min read Data Protection & Compliance

Rate Limiting and Brute Force Protection

Rate limiting prevents brute force attacks by restricting the number of connection attempts from any source. Multiple layers of rate limiting provide robust protection against automated attacks.

Configure iptables rate limiting:

# Rate limit new SSH connections
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

# Log dropped connections
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j LOG --log-prefix "SSH-RATELIMIT: "

# Save rules
iptables-save > /etc/iptables/rules.v4

Implement fail2ban for dynamic blocking:

# Install fail2ban
sudo apt-get install fail2ban

# Create SSH-specific jail configuration
# /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
destemail = [email protected]
action = %(action_mwl)s

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200

[sshd-aggressive]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
findtime = 300
bantime = 86400

# Custom filter for specific attacks
[sshd-invaliduser]
enabled = true
port = 22
filter = sshd-invaliduser
logpath = /var/log/auth.log
maxretry = 2
bantime = 86400

Create custom fail2ban filter:

# /etc/fail2ban/filter.d/sshd-invaliduser.conf
[Definition]
failregex = ^%(__prefix_line)sInvalid user .* from <HOST>
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers
ignoreregex =