On Mon, Jun 28, 2021 at 06:38:21PM +0200, Matthieu Herrb wrote:
> I have rules like this one on the firewalls I manage:
>
> pass in on $in_if proto tcp from any to port ssh \
> flags S/SA keep state \
> (source-track rule, max-src-states 30, max-src-conn 20, \
> max-src-conn-rate 15/30, overload flush
> global)
>
> block log from
>
> However some legitimate remote users get their addresses added to the
> ssh-bruteforce table from time to time.
>
> I'd like to be able to figure out the reason (ie which condtion
> triggers the overload). Is there a way to have it logged somewhere
> that I'm missing ?
`set debug notice' should syslog(3) addresses being overloaded in the
first place, but I'm fairly certain there is currently no way to get
more than that.