If you are using SSH then you will sooner or later notice someone trying to hack into your box using dictionary attacks.
You can use the iptables module recent to limit a minimum time between new connections from the same IP.
To make this work, you should have this commonly used rule (this allows previously established connections and is a normal rule in most firewalls):
iptables -A INPUT -j ACCEPT -p tcp ! –syn -s 0/0 -d (outer ip/net)
Now, to set the limit:
iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –update –seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –set -j ACCEPT
These two rules makes iptables require 15 seconds between new connections from the same IP on port 22 (the SSH port). Use ACCEPT instread if you are using a firewall that has it’s own rule for accepting ssh.
Another way of limiting dictionary attacks is to limit using -m limit –limit <rate> like this:
iptables -A INPUT -p tcp –dport ssh -m limit –limit 3/minute –limit-burst 2 -j ACCEPT
This rule does the trick of setting a limit of 3 connectoins pr minute, but the first two connections will exhaust the limit-burst, so the rule effectively limits the connection attempt rate to 1/minute.