I like to move SSH to a higher port, and then use fail2ban to blast anything that touches port 22 for good 24 hours. Of course, any failed auth attempt to the real SSH port gets blasted too (using pubkey of course).

Care to share your config options to accomplish that. Would save me a little google-fu

Firewall (iptables):

...
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix "iptables: DROP: "
iptables -A INPUT -p tcp --dport 22 -j DROP
...

fail2ban filter:

[Definition]
failregex = iptables: DROP: .* SRC=(?P<host>\S*) DST.*
ignoreregex =

fail2ban jail config:

[ssh-22]
enabled  = true
filter   = ssh-22
action   = iptables[name=SSH-22, port=22, protocol=tcp]
           sendmail-whois[name=SSH-22, dest=root]
logpath  = /var/log/iptables.log
maxretry = 1
bantime = 86400

What I'll probably do though is to put the iptables log at the end of teh valid input chain and not assigned to any port, so that I can ban anything that touches any port other than active enabled services. IMHO this should break any portscan attempt assuming they start at lower ports and work upwards.

If you're busy banning port scans, I hope you don't run an IRC client...

_________________
Matt Nordhoff (aka Peng on IRC)

I don't run irc, but that reminds me I wanted to implement a web based chat at some point, thanks