I recently had to move sshd back to port 22, and I quickly tired of seeing 5k failed login attempts every day.
UPDATE: After some Googling, and after taking into account a lot of good advice from the comments, as well as from John and Smooge, here’s how I’ve rewritten my firewall to protect against brute force ssh attacks.
# set default policies iptables -P INPUT DROP # all pre-established clients iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # new inbound ssh, protecting against brute-force attacks iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
The changes improve efficiency by moving all the RELATED and ESTABLISHED filtering to the beginning of the checks. Also, the order of the checks on the NEW ssh connections have been fixed based on the suggestions in the comments.
The blocked IPs are stored in /proc/net/ipt_recent/SSH.
This technique, known as “connection throttling”, can be applied to any service (web, mail, etc.) you wish to protect against DoS (and might also help in case of DDoS)