In January of this year I asked about ways to lock out sshd break ins.
After some digging around on the web, and experimentation, I found that
the following works with Mandriva 2007.1, restricting login attempts
(as well as actual logins) to one per minute. Oddly, the number of hits
per interval (hitcount) must be 2 to achieve this. If it is 1 then the
initial connection is dropped. It appears that the connection attempt
counter is incremented BEFORE the hitcount rule is encountered, so if it
is set to 2 it sees 1 and is happy to go on, but if it is set to 1, it
sees 1, and locks out even the first connection attempt. Since usually
local machines are allowed to login as frequently as desired, there is a
rule that provides for that before the rule that blocks the restricts
the remote login rate:


DO_ONCE=1

#this reads IP addresses from a list, so that the FOR
#can pull them out one at a time and assign them to the
#symbol $IP

get_ips $SSH_CLIENTS
for IP in "${IPS[@]}"; do
echo Processing SSH client $IP...
#
# All of these should be done once, even if SSH_CLIENTS is a list.
#
if [ "$DO_ONCE" = "1" ]; then
DO_ONCE=0;
# create a set of NEW_SSH rules
$IPTABLEPROG -N NEW_SSH
# redirect port 22 INPUT to this rule
$IPTABLEPROG -A INPUT -i $PUB_IFACE -d $PUB_IP \
-p tcp --dport 22 -m state --state NEW -j NEW_SSH
# open up unrestricted clients
$IPTABLEPROG -A NEW_SSH -i $PUB_IFACE -p tcp \
-s $SSH_CLIENTS_UNRESTRICTED --sport $EPHEMERAL_PORTS \
-d $PUB_IP --dport 22 -j ACCEPT
fi
# The next two rules drop connections of more than 1 per minute
$IPTABLEPROG -A NEW_SSH -i $PUB_IFACE -p tcp -s $IP \
--sport $EPHEMERAL_PORTS --dport 22\
-m state --state NEW -m recent --set
$IPTABLEPROG -A NEW_SSH -i $PUB_IFACE -p tcp -s $IP \
--sport $EPHEMERAL_PORTS --dport 22\
-m state --state NEW -m recent --update \
--seconds 60 --hitcount 2 -j DROP
if [ "$CONNECTION_TRACKING" = "1" ]; then
$IPTABLEPROG -A NEW_SSH -i $PUB_IFACE -p tcp \
-s $IP --sport $EPHEMERAL_PORTS \
-d $PUB_IP --dport 22 \
-m state --state NEW -j ACCEPT
fi
$IPTABLEPROG -A NEW_SSH -i $PUB_IFACE -p tcp -s $IP \
--sport $EPHEMERAL_PORTS \
-d $PUB_IP --dport 22 -j ACCEPT
$IPTABLEPROG -A OUTPUT -o $PUB_IFACE -p tcp ! --syn \
-s $PUB_IP --sport 22 \
-d $IP --dport $EPHEMERAL_PORTS -j ACCEPT
done


This is cut from a script, but here are all the predefined
symbols:

PUB_IFACE=eth0
PUB_IP=a.b.c.d #plug in your machine's IP address here
SSH_CLIENTS=$PUB_IP/0 #entire net
SSH_CLIENTS_UNRESTRICTED=$PUB_IP/24 #local subnet
IPTABLEPROG=iptables
EPHEMERAL_PORTS=1024:65535 #Unprivileged port range

Regards,

David Mathog