For some reason, my boxes seem to get a lot of login / hacking attempts to them. For a long time now, I've deployed an iptables filter that blocks a lot of these attempts. They still keep trying, even though they only get a few attempts per IP. Maybe I'm sticking out my head too much here, showing what my filters are, but I figured that someone else might find this useful. And besides, if knowing my filters makes me more vulnerable, then I rather find out about it.

So, here it is (well, the parts of it that blocks login attempts):

-A INPUT -p tcp -m tcp --dport 22 -m state --state new -m limit --limit 10/hour --limit-burst 4 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 22 -j LOG --log-prefix "IPTABLES SSH-LIMIT: "
-A INPUT -m tcp -p tcp --dport 22 -j DROP

-A INPUT -p tcp -m tcp --dport 21 -m state --state new -m limit --limit 10/hour --limit-burst 4 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 21 -j LOG --log-prefix "IPTABLES FTP-LIMIT: "
-A INPUT -m tcp -p tcp --dport 21 -j DROP

Be careful to not lock yourself out. If you need to go over these limits from a particular IP, whitelist it first with a rule to always grant access.