I was just trying to understand this solution, but I can't find any documentation for "recent" . Where can I find out more about 
it? It is not mentioned in "man iptables"

  Mark Stodola wrote:
 > Sorry I haven't been following this whole thing, but I caught the last
 > few.  As far as a real-time solution, I use iptables.  It doesn't care
 > if a login failed or succeeded, it just counts the rate of connection.
 > You can play with it a bit, depending on how many users hit your machine
 > and how often.  It is on a per-host basis, so 3 people from 3 different
 > machines won't trip it, however 3 connections from a single machine in
 > less than a minute will.  Easily tweaked using lines 2 and 3.  This
 > stops all of those automated brute-force attack for me, and I haven't
 > locked myself out (yet).
 >
 > My sample script:
 >
 > #
 > # SSH FLOOD PROTECTION
 > #
 >
 > # create our new limiting chain where we can send everything to be limited.
 > ${IPTABLES} -N mylimit
 >
 > # demand XX seconds of silence from a host that has been flagged as
 > flooding.
 > ${IPTABLES} -A mylimit -m recent --update --seconds 604800 -j DROP
 >
 > # if the host is not flagged for flooding, and has not started to flood
 > in the last minute,
 > # bounce their connection back where it came from for further rule
 > matching.
 > ${IPTABLES} -A mylimit -m limit --limit 2/m --limit-burst 3 -j RETURN
 >
 > # They have started to flood, drop their connection and flag them.
 > ${IPTABLES} -A mylimit -m recent --set -j DROP
 >
 > # shunt NEW ssh connections over to MyLimit to be limited
 > ${IPTABLES} -A INPUT -i ${EXTIF} -p tcp --dport ssh -m state --state NEW
 > -j mylimit
 >
 > Cheers,
 > Mark


-- 
  Alex Finch, Research Fellow, Physics Department, Lancaster University.
+44 (0) 1524 593618   http://www.lancs.ac.uk/depts/physics/staff/ajf.htm