Thu, 06 Apr 2006
Erich, There's a much easier solution to blocking those ssh scanning bastards... some nice friendly iptables rules! (I forward ssh to an internal system, so this is in the FORWARD chain.. use the INPUT chain otherwise)
So, in the INPUT chain, you wouldn't use -o, and -d would be the IP on your external link.. in this example, ppp0.
What it does, is uses the ipt_recent module, tracking connections from a given IP. 3 incoming connections in 60 seconds will cause the remote host to be blocked. Of course, this affects normal logins too, so for known hosts, it pays to insert a rule beforehand that does a -j ACCEPT.
I'm enjoyng the very short log entries for a given ssh scanning host in my logcheck mail :).