In this article are shown example instructions for a simple firewall disallowing new connections if the remote host initiates a connection too often. This is especially the case with SSH brute force attacks. Most administrators know the feeling of annoyance when they look at the system security logs and notice the enormous amounts of failed SSH logins. What makes the described solution effortless is that there is no need to install and configure a separate log watcher daemon – just bring in some firewall rules. The setup might be most useful in the context of security-sensitive hosts where additional security measures would be justified, even more so if, for some reason, strong (e.g. key based) authentication can’t be used.
The article was originally published over on Upcloud: How to setup iptables firewall effortlessly using ‘recent’ triggering and ipset