How to filter ssh scanners
Here’s an easy recipe to filter those annoying SSH scanners at your firewall:
iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
-m recent --set --name SSH
#$iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
# -m recent --update --seconds 60 --hitcount 5 --rttl \
# --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
-m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP
This configuration will allow up to 5 SSH connections in a 60 second timeframe. This will usually make SSH-scanners go away after their 5th retry, and seriously slow them down otherwise.
If you have users who “rightfully” need to do more SSH connections, make them use some VPN, a “safe” source-IP-range, whatever.
To protect your firewall host, use INPUT instead of FORWARD.
Note that you can also implement port-knocking with the recent match.