getting iptables to firewall estabilished connections
i have been writing a script to stop a distributed password guesser that is trying to get into my server over ssh. the password guesser is comming in on different source IP addresses. each IP address attempts about 150 guesses.
i have managed to write a gawk script http://www.60hertz.com/monitorsecurelog.awk that counts the guesses in my /var/log/secure. the gawk script then calls a second script to add a 'drop' rule to my iptables firewall after 20 guesses. the script that adds the firewall rule is http://www.60hertz.com/firewallIp.bash.
my problem is that the script to firewall the attacking IP is updating my iptables rule set but the attacker is not dropped. it appears that the established connection allows the attacker to keep on holding open the connection to my sshd. i modified my firewallIP.bash script to stop and restart sshd after my rule had been applied but that still did not break the attackers connection.
does anyone know how I can terminate an established connection to sshd from an attacker so that my new firewall rule is effective immediately?