Luckily, there are easy ways to deal with this. We use the following ferm recipe to limit the incoming new ssh connections on source ip basis. Hope this helps someone.

You do the following in the filter table from the input chain. We assume you already allow established connections to pass.

proto tcp dport ssh {
  # Rate-limit incoming SSH connections
  mod state state NEW mod recent name "ssh" {
    set NOP;
    update seconds 300 hitcount 31 REJECT reject-with tcp-reset;
  }

  # allow SSH clients which play nice
  ACCEPT;
}

This will keep track of the number of connections made on the ssh port in the last 300 seconds, per source ip address. If more than 30 connections are made within 300 seconds, they will be rejected. Otherwise, they’re allowed.

This works great for us, but you want to test it before using it in a production environment, of course!

Update: So ipt_recent only allows up to 20 counts. You might want to change the numbers in this recipe a bit to make it work correctly

Update 2: Or even better:

$ cat /etc/modprobe.d/ipt_recent
options ipt_recent ip_pkt_list_tot=31
$ sudo /etc/init.d/ferm stop
$ sudo rmmod ipt_recent
$ sudo /etc/init.d/ferm start

You can check /sys/module/ipt_recent/parameters/ip_pkt_list_tot to see if it changed.

Btw, this all is not my own research, merely transcribing what Bart and Kees researched.

Tags: connection, ferm, firewall, ipt_recent, limit, rate limit, recent, ssh, worm