Comment Re:automated responses to probes? (Score 2, Informative) 128
Add a rate limit to your incoming ssh syn connections and drop the ones that go over the rate limit. Also, remove password authentication and only allow rsa authentication. With these together, ssh attacks will disappear from your logs.
For example:
For example:
Note. Only turn on the output to log when you want to see what is going on. Otherwise, just comment out that line.$IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP --dport 22 -j allowed
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP --syn -m limit --limit 3/minute --limit-burst 3 -j ACCEPT
$IPTABLES -A allowed -p TCP -j LOG --log-level "NOTICE" --log-prefix '[DROP:RATE_LIMIT] '
$IPTABLES -A allowed -p TCP -j REJECT