I guess I need to read a bit more on the ALL:PARANOID bit.. that also might work for here, but not downtown.
In my experience paranoid is more of a nuissance then a help. I've often been blocked simply because I was on a temporary computer which had no reverse DNS -- it's annoying and not that uncommon.
Another solution would be to use the linux firewall 'recent' match type or 'limit' match types to limit connections to a certain number per hour or something.
Ie. something like this (all in filter table):
:newssh - [0:0] :whitelist - [0:0]
-A INPUT -p tcp --dport 12345 -m recent --set -A INPUT -p tcp --dport ssh -m state --state NEW -j newssh
-A newssh -m recent --update --seconds 43200 -j ACCEPT -A newssh -j whitelist
-A whitelist -s 127.0.0.0/8 -j ACCEPT -A whitelist -s 10.0.0.0/8 -j ACCEPT -A whitelist -s 172.16.0.0/12 -j ACCEPT -A whitelist -s 192.168.0.0/16 -j ACCEPT -A whitelist -s x.y.z.0/24 -j ACCEPT -A whitelist -s static_home_ip_number -j ACCEPT
The above accepts ssh connections from IP's which have tried telneting in to port 12345 (or been allowed to ssh) within the past 12 hours and from anybody in the WHITELIST chain (which basically accepts private/local networks, and my own computers, etc)
Or instead of the newssh chain above you could try:
-A newssh -j whitelist -A newssh -m limit --limit 1/hour --limit-burst 5 -j ACCEPT
Which would accept any whitelisted computer and a maximum of 5 attempts in a row from anywhere else (recharge rate of 1 per hour). Of course the above doesn't distinguish IP's.
So you could do something like this: -A newssh -j whitelist -A newssh -m recent --update --seconds 3600 --hitcount 10 -j REJECT --reject-with tcp-reset -A newssh -j ACCEPT
Which would accept any whitelisted computer, and up to 10 connections within an hour from any other IP.
I think the above (to be placed in /etc/sysconfig/iptables) are a lot easier solutions than some scripts - although these solutions do not distinguish between successful logins and failures. Still the level of complication is a lot easier and this approach will work for _ANY_ tcp/ip service.
Cheers, MaZe.