Hello Lynwood et al.
Amongst many other iptables rules I use the following:
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP -A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource -A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "[PORT SCAN BLOCK]:" -A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
...
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP -A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource -A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "[PORT SCAN BLOCK]:" -A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
Above rules together with fail2ban effectively block/unblock portscan attempts for predefined period of time, here 86400 seconds.
Best regards. Tom - SP2L