I had someone try to attack my zeroshell computer yesterday. there were 1000’s of failed ssh login attempts in the logs. I think you need a feature if someone from the same ip address tries to logon more than 3 times and fails there IP address should be blocked for an hour or so.
If you are using the beta11 release, in the INPUT chain of the firewall you could use the parameter “Parallel connections per IP” to limit the maximum number of connections on the port 22/TCP from the same client.
I posted a Request for a Feature about FWKNOP that can help solve that problem by effectively hiding the SSH until you send some authorization packet (like Port Knocking but single packet with cryptography).
This way, not only a SCAN would do absolutely nothing (it would not respond to any request), you can protect vulnerable services from remote access even before a patch is available by limiting who can reach the service.
Thanks again for your work on providing this excellent woftware that is Zeroshell.