Prevent SSH attacks

I think you better have to use fail2ban, because your ipfilter rules also block legitimate connections. fail2ban will only block IPs after failed connections.

Next, a common practice is to ban IPs when they try to connect to port 22, and bind your ssh server to another port. You then face only a couple illegitimate connection per week if your computer is not a well known target.

For the precise question you asked :

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

You can implement what you want with the following 2 rules

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP

Note that using -Awhich adds rules to the end of the chain can fall foul of the way that iptables rules are processed i.e. in order so if there is a general DROP or an allow rule before yours is reached than they will never be acted on.

Having said that you may also find fail2ban is a better way of implementing this kind of block.


You might want to try the LIMIT module.

iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/minute -j ACCEPT