how to react on ssh attacks?

[jdow]

From: "Jeff Vian" <jvian10 at charter.net>
>> Request look like:
>> Oct 23 10:49:42 ********* sshd[15806]: Failed password for root from 
>> 81.208.32.170 port 1354 ssh2
> 
> As you have already realized, it is generally not safe to allow ssh
> access for root.  In fact, Fedora by default does not allow root to have
> ssh access.

> I got the tool and instructions here.
> http://www.csc.liv.ac.uk/~greg/sshdfilter/
> It was extremely easy to set up using the instructions for FC3 with
> slight modifications for FC4 and seems to work well.

Your machine is already equipped with iptables. Simply add these three
rules to your firewall and you achieve the effect of accepting two
attempts to log in to your ssh port in any 60 second period. If there
are more than two attempted connections in a one minute period the
connection is rejected and logged. It works fine and is transparent
to normal use. If you make password mistakes twice in a minute you
have to wait a minute. That's no big deal. It may be a problem if you
have large numbers using ssh to connect. But how many of us have that
as a problem?

===8<--- With sincere thanks to the fellow who pointed this trick out.
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 60 --hitcount 3 -j LOG --log-prefix 'SSH REJECT: '
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
  --rcheck --seconds 60 --hitcount 3 -j REJECT --reject-with tcp-reset
===8<---
There are degrees of free. If you have to download it and install it
the above is "freer" if you add it to your iptables script.

{^_^}