Attack counts are in the 100,000s.

This sort of thing posses no threat and is quite stupid as previously observed. Is mainly annoying for the mess it makes of /var/log/security. If you don't want to change the SSH port (best solution IMO), here's an 'iptables' rule that will fix it (adjust/rearrange as needed/desired). These lines assume they will go in /etc/sysconfig/iptables. You can run them manually by prefixing with the 'ipbables' command. I wrote this without looking at the default 'iptables' file for any distro and if you are using one, revise accordingly or rename the original and start from scratch. -N input_eth0 -A INPUT -i eth0 -j input_eth0 -A input_eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT -A input_eth0 -p tcp --dport 22 -d x.x.x.x -m recent --update --seconds 600 --hitcount 3 --name SSH_ATTACK -j DROP -A input_eth0 -p tcp --dport 22 -d x.x.x.x -m recent --set --name SSH_ATTACK -j ACCEPT ========== Because we all make mistakes, you should *TEST* the rule by KEEPING A LIVE CONNECTION active and logging in a second time or you may lock yourself out of your server. Use iptables -nvL to display the counters and look for the lock-out effect after 'hitcount' attempts. Also look in cat /proc/net/xt_recent/SSH_ATTACK for the login tries and lock-out. You can clear an IP with echo "-x.x.x.x" >>/proc/net/xt_recent/SSH_ATTACK ========== If you want a bigger hash table and more history than the default, you can create /etc/modprobe.d/xt_recent.conf and put something like options xt_recent ip_list_tot=16384 ip_pkt_list_tot=255 in it. ========== Some documentation at http://linux.die.net/man/8/iptables