Odd ssh attacks?

[David Ford]

[...]
>>> For example,
>>> $IPTABLES -I INPUT -s 203.127.160.155 -j DROP
>>>       
>> Note, that this is OK for a home user, probably not a good idea for the
>> Corporate webserver, as you are banning everybody who will ever use the
>> same IP address (think dial up users, and folks behind NATed firewalls).
>>     
>  
> Second that. That's what fail2ban (available in your favorite universe) is 
> about. It blocks an offending ip (after some failed login attempts) for a 
> predetermined period.
>   
And that's why ipt_recent via iptables is even better.  It's all done on
the kernel side without any context switching or memory use.  Packets
get stopped much sooner, much faster and with far fewer resources used.

Fully automatic with heuristics and even managable in userland with echo
x.x.x.x > y and echo -x.x.x.x > y

I use this to match ssh probes and I use it for blocking spam senders. 
More than N hits per 60 seconds for ssh and you get firewalled for an
hour.  Send me an email that scores higher than 10 with spamassassin and
you get TARPIT'd for 7 days on port 25.

It works wonders for dropping the load on a mail server.

-david