If there is no end to spam and automated attacks against a server and you do not (or cannot) invest in a high-quality firewall, this technique may offer a respite.

The idea is to pro-actively block all "well-known" malicious net-blocks (according to spamhaus.org's definition, of course). The source for these net-blocks is the Spamhaus DROP list, which is described as:

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie'
netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of
the SBL designed for useby firewalls and routing equipment.

Spamhaus promises:

 The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - 
 even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled 
 by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE,
 APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks
 that have been snatched away from their original owners (which in most cases are long dead corporations)
 and are now controlled by spammers or netblock thieves who resell the space to spammers.
 
 When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from 
 spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

I combine this list with Portsentry (customizing /etc/cron.hourly/portflush and the killroute BASH script) to release and renew these blocks each hour. This is not really necessary, but it's my way. As an added benefit, however, using Portsentry to block routes will make those routes subject to the portsentry.ignore routes you have configured, which will likely prevent you from blocking yourself or close associates if the DROP list somehow includes your netblock one day!

Here's the one-liner to grab the DROP list and run it through killroute:

 curl -s http://www.spamhaus.org/drop/drop.lasso |grep ^[1-9]|cut -f 1 -d ' ' | \
 xargs -iX -n 1 killroute  X "source: spamhaus.org/drop"

This can also be run as "xargs -iX -n 1 iptables -A INPUT -s X -i eth0 -j DROP", instead.

In /etc/cron.hourly/portflush I add the above one-liner before the "exit" statement so that the now-flushed iptables entries are replaced with the (possibly) updated list of net blocks from the DROP list.

A minor edit to portsentry's killroute (vi `which killroute`) allows a custom "source" comment. Here's my edited killroute:

 #!/bin/sh
 
 source /etc/sysconfig/portsentry
 
 # Make sure we have a target
 if [ "x$1" = "x" ]
 then
        echo "$(basename $0):  Error no target specified."
        exit 1
 #else
        #echo "Arg 1: $1"
 fi
 
 if [ "y$2" = "y" ]
 then 
        PREFIX="portsentry attack alert"
 else
        PREFIX="$2"
        #echo "Arg 2: $2"
 fi
 
 # Figure out which firewall tool to run... backwards compat blows chunks.
 case "$(basename $IPTOOL)" in
        ipchains)
                ipchains -I $PORTSENTRY_CHAIN -s $1 -j DENY -l
                ;;
        iptables)
                iptables -I $PORTSENTRY_CHAIN -s $1 -j LOG --log-prefix "$PREFIX"
                iptables -I $PORTSENTRY_CHAIN -s $1 -j DROP 
        ;;
        *)
                echo "Unrecognized option.... no action taken against $1"
                exit 1
        ;;
 esac
 
 exit 0

I also use this technique in conjunction with Mitigating brute-force password attacks with pam_abl to help protect against brute-force password attacks. Fun, fun, fun.