On 4/5/2022 3:30 AM, tomas@tuxteam.de wrote: ....
You gotta be careful: kicking out an IP for just one login failure might shut *you* out because you forgot to ssh-add your key (or because you mistyped your password once). OTOH, if "they" keep changing their IP address for each retry, you wouldn't catch them otherwise. So it is a fine line to walk. You might try to trigger on more specific patterns, which means you'll have to adapt your recognisers, yadda, yadda. Take care & don't forget having fun. That's what computers are for, after all.
I run a homebrew version of this idea to kill probes to my ssh server. And I realized the danger stated above. So my server also reads email to an account just for it and I have a special subject line that causes it to clear the iptables - just in case. Since I don't have a fixed IP, there is another special subject line that causes it to email the current ip to my email account. All this so I can tunnel through the server when I travel.