"jdow" <jdow@xxxxxxxxxxxxx> writes: > I have found, however, that a simple three line iptables addition seems > to work like a champ, except for filling up the log. > > ===8<--- > iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set > iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ > --rcheck --seconds 120 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: ' > $iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \ > --rcheck --seconds 120 --hitcount 3 -j REJECT --reject-with tcp-reset > ===8<--- This is indeed a lovely approach, but has a drawback: it can't tell the difference between many legit SSH connections and many bogus ones. For example, if you are getting at a Subversion repository with 'svn+ssh://host/repo-stuff', then whole bunches of ssh connections will be made in rapid succession. You can always up the hitcount, but that's just a method waiting to fail (e.g. what if SVN does something unexpected that needs _lots_ of ssh connections). Just FYI. Will
