This quick how to is for those linux admin/users who have there Linux server accessible to the outside world.

Don't you hate when those bots start hitting you with a ssh dictionary attack??? Well block using IPTABLES.

1. Here I will show you how to add the first rule in iptables...
   
   
   • The 1st rule we add is where we tell iptables to create a list called ssh_attempt and store the source ip of every recent ssh attempt on port 22 using tcp on interface eth0.
   • "iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name ssh_attempt --rsource"
     
     
   • step by step explanation..
   • iptables is the command that you use to enter the firewall rules in.
   • "-A INPUT" means APPEND to the INPUT chain
   • "-i eth0" means this rule will use the interface eth0
   • "-p tcp" means we are using the TCP protocol
   • "-m tcp" means we are matching the TCP protocol
   • "--dport 22" means we are matching based on the destination port 22
   • "-m state --state NEW" This rule will only apply to NEW incoming ssh connections not ESTABLISHED or RELATED.
   • "-m recent --set --name ssh_attempt --rsource" allows us to match packets based on recent events that we have previously matched and sets the name of the list , while saving the source ip address and port.
2. In this step we will show you how to deny those bots..
   
   
   • "iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 2 --name ssh_attempt --rsource -j DROP"
   • The only difference in this rule is these options.
   • "--update --seconds 10 --hitcount 1 --name ssh_attempt" This will match true if the source is available in the specified list and it also updates the last-seen time in the list. The "--seconds 10" match is used to specify how long since the "last seen". The "--hitcount 2" will limit the match to only include packets that have seen at least the hitcount amount of packets.