Re: Advice on dealing with scripted SSH attacks?

> I've seen a number of iptables rules with this basic idea, but they
> don't actually tell the difference between bad and good connections
> (I confirmed with Jeff that this was the case here).  This means a
> self-inflicted denial of service is possible (maybe even probable
> depending on your environment).  Before deploying an iptables rule
> that does this, you should check your logs and make sure you don't
> have legitimate traffic with that sort of frequency.  As an example
> from one server I manage, here's a sanitized log excerpt showing a
> single user making six legitimate connections within one minute (I
> know they're legit because I know the user).  I'm nearly certain this
> is from either web editing or file transfer software that speaks SSH,
> but isn't smart enough to transfer files in a single connection.

That's why you white list IP addresses from known IP addresses with a 
permit before the general ssh rule, i.e.

-A INPUT -s ###.###.###.### -p tcp -m tcp --dport 22 -j ACCEPT