ssh is arguably one of the most useful remote administration tools in existance; but it is no good if you cannot turn it on. Whenever I check my Linux server logs (on my externally faceing machines) there are ALWAYS hundreds of attempts to get remote access through ssh via brute force dictionary attacks. While I always have strong passwords and generally have strong usernames; there is always the chance that an attacker might get lucky.
Thankfully Linux has ipTables. The Linux kernel level firewall can be amazingly complex (some people actually consider it a full blown programming enviroment.) But that complexity allows for a dramatic amount of flexablility for a firewall. For example, if I want to block hosts who have attempted to login and failed 4 times in 60 seconds:
iptables -N SSH_CHECK
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m state –state NEW -m recent –set –name SSH
iptables -A SSH_CHECK -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –name SSH
iptables -A SSH_CHECK -m state –state NEW -m recent –rcheck –seconds 60 –hitcount 4 –name SSH -j DROP
While we are on the subject of here is a great tutorial on getting IPCop working. IPCop is an alternative firewall for Linux.