So my question is, cant we make iptables see the number of NEW connections / attempts (Basically dictionary attack) given in a time frame. And if the number of NEW connections exceed a certain time frame. Then start DROP or TARPIT.
This *IS* based the number of NEW connections in a given time frame. Note the "--seconds 60" parameter. This is designed to see if there have been less than x number of NEW connections in the 60 second period. If there have been less than x number of NEW connections in y time (seconds) then RETURN back to the calling chain and do not continue to parse this chain and ultimately TARPIT or DROP.
NOTE: Take a look at https://lists.netfilter.org/pipermail/netfilter/2005-May/060570.html as this email has a newer (functioning) version of this script.
Grant. . . .
