Being the LinuxCzar with tools like iptables and LVS, I view network traffic as almost infinitely malleable.  So, one of the ways I currently deal with SSH scans on my personal machines is to install a rate limit.

These examples are copied out of my /etc/sysconfig/iptables file.

First, any new connection to my SSH port has its own special rule chain:

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN

I define the SSHSCAN chain like the below.  This is using the “recent” iptables module that’s present in RHEL 5 and later.  First, we set the source IP address into a list named SSH:

-A SSHSCAN -m recent --set --name SSH --rsource

Now we have a history of IP addresses that have connected to our SSH port.  If there are more than 10 hits in the last 300 seconds we log that we are being SSH scanned:

-A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH \
-j LOG --log-level info --log-prefix "SSH SCAN blocked: "

Again, if we have more than 10 hits of the source IP address in 300 seconds we drop the packet on the floor:

-A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH \
--rsource -j DROP

If we don’t match any of the rules above we have a SSH syn packet that has not reached the block threshold and we accept it:

-A SSHSCAN -j ACCEPT

Now, as I look at the above I notice that the DROP rule should probably be using --rcheck instead of --update which may mean that I’m logging two history hits per each SSH connection…but…anyway….