扫描狗真多，利用 nftables防火墙开 sshd入站白名单

/etc/host.deny RHEL 8开始已经移除 tcp_wrappers不可用 以后 deb系也会移除的

还是用新版 nftables防火墙做入站白名单吧

# nfttables
nft flush ruleset

# 1
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 ; policy drop ; }
nft add rule inet filter input iif "lo" accept
nft add rule inet filter input ct state { established, related } accept
nft add rule inet filter input ct state invalid drop
nft add rule inet filter input icmpv6 type { nd-nei**or-advert, nd-nei**or-solicit, nd-redirect, nd-router-advert, nd-router-solicit } accept
nft add rule inet filter input icmp type echo-request limit rate 1 /second accept
nft add rule inet filter input icmpv6 type echo-request limit rate 1 /second accept
nft add rule inet filter input iif "eth0" tcp dport 22 ip saddr 10.1.1.0/24 accept
nft add rule inet filter input iif "eth0" tcp dport 22 ip6 saddr 240e:350::/29 accept
nft add rule inet filter input iif "eth0" tcp dport { 80, 443 } accept
nft add rule inet filter input iif "eth0" udp dport { 53 } accept

补充：
这都关键词屏蔽，他们到底怕什么

也可以改默认端口避免扫描狗，但我个人习惯用默认的。

你的方法也挺好的，改了端口号有时候会出现莫名其妙连不上的问题，还得改回缺省端口号