Stop SSH scanning with iptables
Basically, you define in iptables your local nets and accept SSH
automatically:
-A INPUT -p tcp --dport 22 -s -j ACCEPT
(repeat as necessary)
And then you define a block for repeated attempts for others:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
You can see the state of this ruleset in /proc/net/ipt_recent/SSH (or whatever name you gave it). Entries can be removed by writing ‘-IP.AD.DR.ES‘ into the file, and the entire thing can be purged by writing ‘clear‘. The ruleset only keeps stuff on the most recent 100 IP addresses, which shouldn’t normally be a problem (this is controlled by the kernel module ipt_recent‘s ip_list_tot module parameter).
