I have been trying to find a way that I was comfortable with to slow down the brute force SSH attacks.
The only problem was I was not convinced that a script or daemon watching the log files for failed logins was the best way of accomplishing this. I knew that iptables had some limiting functions, but most of my iptables experience had been with simply blocking or unblocking ports.
iptables -N SSH_CHECK iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK iptables -A SSH_CHECK -m recent --set --name SSH iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 4 \ --name SSH -j DROP
This appears to be a simple solution that I can live with :)