How to filter ssh scanners

Here’s an easy recipe to filter those annoying SSH scanners at your firewall:

iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
        -m recent --set --name SSH
#$iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
#       -m recent --update --seconds 60 --hitcount 5 --rttl \
#       --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A FORWARD -i ethLRZ -p tcp --dport 22 -m state --state NEW \
        -m recent --update --seconds 60 --hitcount 5 --rttl --name SSH -j DROP

This configuration will allow up to 5 SSH connections in a 60 second timeframe. This will usually make SSH-scanners go away after their 5th retry, and seriously slow them down otherwise.

If you have users who “rightfully” need to do more SSH connections, make them use some VPN, a “safe” source-IP-range, whatever.

To protect your firewall host, use INPUT instead of FORWARD.

Note that you can also implement port-knocking with the recent match.