I am currently under an SSH attack.
The attack is very strange in nature, the attacker is using a botnet of computers and using them as individual login attempts (see log snippet):
Dec 11 08:30:51 rhea sshd[16267]: Invalid user maureen from 78.43.82.153
Dec 11 08:35:24 rhea sshd[20012]: Invalid user maurizio from 201.244.188.202
Dec 11 08:44:46 rhea sshd[27711]: Invalid user max from 211.140.12.46
Dec 11 08:49:10 rhea sshd[31383]: Invalid user max from 190.144.47.82
Dec 11 08:58:19 rhea sshd[6659]: Invalid user max from 69.250.227.138
Dec 11 09:07:28 rhea sshd[14249]: Invalid user maxim from 93.63.231.55
Dec 11 09:12:03 rhea sshd[18127]: Invalid user maximus from 79.188.240.210
I am willing to filter all access to port 22 (ie only allow IPs I specify to connect), and what I have done a couple days ago (is block all connections to port 22 but from myself). What I want to do is log ALL connections that don't have an accept rule to log and drop it - this way I can track all the computers in the bot not without giving them the opportunity to attempt to login.
What I have is something like this:
-A INPUT -s my.addr(s) -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
Update
I have added this to my iptables:
[0:0] -A INPUT -m limit --limit 5/min -p tcp -m tcp --dport 22 -j LOG --log-level 4 --log-prefix "** DoS **"
and used
http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
To setup a separate file, however, I can only see the logged data in dmesg.