I've been successfully using the following suggestion for Debian:
http://www.debian-administration.org/articles/187
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
The two rules above will limit incoming connections to port 22 to no more than
3 attempts in a minute - any more than that will be dropped.
> Daxomatic wrote:
>> Hi List,
>>
>> like anybody on the net i have these problems too, and was bored with
>> scrolling the endless logs. So i decided to put an end to it. Here
>> is a (rather small but effective and a bit blunt )script to put a
>> stop to this annoying behaviour ;-p
>>
>> #!/bin/bash
>> tail -0f /var/adm/messages |while read line;
>> do echo "$line"|awk '/Invalid user/ {printf ("block in quick
>> on bge1 proto tcp from %s to any port = 22 keep state\n",$NF)}' |ipf
>> -f -; done
>>
>> as you all can see this is for a solaris 10 box (ipf) if you want to
>> make it work for linux you could do something like this this;
>>
>> tail -0f /var/log/messages |while read line; do echo $line|awk
>> '/Invalid user/{printf $NF}' |cut -b 8-|xargs -i iptables -A INPUT
>> -p tcp -m multiport --destination-ports 22 -s {} -j DROP; done
>>
>> I know there are better ways to script this but hey, its quick and it
>> works for me so perhaps its usefull for you guys/girls too :-)
>>
>>
>> Rgds
>> Dax Hoes
>>
>> On 3 Mar 2006 05:14:44 -0000, [EMAIL PROTECTED]
>> <[EMAIL PROTECTED]> wrote:
>>> I have many SSH scans in my large academic network. IMO
>> scanning hosts are Windows zombies.
>>>
>>> /p
