Fed up with repetitive login failures and DoS attempts from all around the world? Check this out to get to know how to defend.
First of all, consider allowing only allowed IPv4/IPv6 sources. Dynamic inspection of malicious attempts is not a CPU friendly operation nor the malicious attempts themselves. If not desired or if not applicable, the Fail2ban seems to be a suitable way to solve that pain in the ass.
Install Fail2ban by
emerge -av net-analyzer/fail2ban
Edit the /etc/fail2ban/jail.conf config file
[DEFAULT] ignoreip = 127.0.0.1,192.168.100.24 # Management network bantime = 86400 # 1 day (in seconds) findtime = 300 # 5 minutes (in seconds) maxretry = 3 # default repeat count # Jail entry for SSH, using iptables for firewall [ssh-iptables] enabled = true # Note that it is by default disabled filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/auth.log maxretry = 3 # Override the default of 3
And start the daemon:
rc-service fail2ban start rc-update add fail2ban default
The are several options how to interact with the daemon:
Detail about malicious IP addresses.
fail2ban-client status ssh-iptables