Periodically one of my servers gets hit by SSH brute force attacks, and I finally got tired of manually dealing with it.
Previously I would go through the following flow;
iptables -I INPUT -s <OFFENDING_IP> -j DROP
So after a little research, with the goal of not wanting anything fancy or crazy to install and/or setup. I decided to go with a few more iptable rules to try and mitigate the issue, as per Rainer Wichmann. It is an old posting, but looks exactly like the kind of rules I'm looking for;
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set \ --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 \ --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 \ --rttl --name SSH -j DROP
There is also a whitelisting option, but seeing that I have a dynamic IP address, I didn't see that as being exactly helpful.