linux iptables

https://www.rackaid.com/blog/how-to-block-ssh-brute-force-attacks/

Methods to Stop SSH Brute Force Attacks
There are basically four approaches to dealing with SSH brute force attacks:

    Restrict SSH access by IP address
    Change SSH to another Port
    Use intrusion prevention tools to dynamically block access
    Rates limit SSH sessions using IPTables

All of these approaches have theirs benefits and drawbacks.

While restricting SSH access by IP address is the most secure method, such restrictions are often not possible when dealing with web hosting services as you have multiple users with constantly changing IP addresses.

Changing the SSH port may defeat bot scans but does little against targeted attacks.  Also, this usually just frustrates your users.

Intrusion prevention tools like fail2ban and denyhosts have their place but they are subject to log based attacks.  These tools essential analyze logs using regular expressions.  Hackers have found ways around both of these tools in the past.

Lastly, you have a great tool to block ssh brute force attacks right on your server: IPtables.
Using IPtables to Stop SSH Brute Force Attacks

I like to think of this approach similar to flow rates with pipes.  Bigger pipes allow more water to flow.  Smaller pipes can handle less water.

control ssh access with iptables

To block a SSH brute force attack, we just need to slow down the flow of requests. We can do this by rate-limiting requests to SSH with iptables.

Essentially, we create a smaller pipe for new SSH sessions.  This slows brute force attacks to a point where they become ineffective.

The iptables rules are relatively simple.
   
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
/usr/sbin/iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j DROP

This rule will block an IP if it attempts more than 3 connections per minute to SSH. Notice that the state is set to NEW. This means only new connections not established ones are impacted. Established connections are the result of a successful SSH authentication, so users who authenticate properly will not be blocked.

If you need to see what’s being done, you may want to log these drops. You can do so by setting up a log rule and then using these rules instead.
   
/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG
/sbin/iptables -A LOGDROP -j DROP
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j LOGDROP



please use iptables-persistent; it's the easy way: Install iptables-persistent:

    sudo apt-get install iptables-persistent

After it's installed, you can save/reload iptables rules anytime:

    sudo /etc/init.d/iptables-persistent save
    sudo /etc/init.d/iptables-persistent reload