Prevent SSH attacks
I think you better have to use fail2ban
, because your ipfilter rules also block legitimate connections. fail2ban
will only block IPs after failed connections.
Next, a common practice is to ban IPs when they try to connect to port 22, and bind your ssh server to another port. You then face only a couple illegitimate connection per week if your computer is not a well known target.
For the precise question you asked :
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
You can implement what you want with the following 2 rules
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
Note that using -A
which adds rules to the end of the chain can fall foul of the way that iptables rules are processed i.e. in order so if there is a general DROP or an allow rule before yours is reached than they will never be acted on.
Having said that you may also find fail2ban is a better way of implementing this kind of block.
You might want to try the LIMIT module.
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute -j ACCEPT