Hi, just want to know if there are any plans on generating more specialized tables for limiting access of brute force attacks. At the moment an attackers IP address is globally blocked by one rule (see below), if he exceeds the limit of connections per timeslot:
block in quick from <virusprot> to any label "virusprot overload table" What I want, is something like this: block in quick proto tcp from <virusprot> to any port 22 label "virusprot overload table" Advantage is, that only the desired service is blocked, not the whole IP-address. Useful for example, if the attacker is behind a NAT device, so that SSH is being blocked, while web access or ICMP echo requests are still possible. There's another table for <sshlockout>, but it's not referenced anywhere in a ruleset. Don't know, if useful for anything, nor if it's a stub already for a general solution to SSH brute force attacks. BR, PIT --------------------------------------------------------------------------- copyleft(c) by | We are MicroSoft. You will be Peter Allgeyer | _-_ assimilated. Resistance is futile. -- | 0(o_o)0 Attributed to B.G., Gill Bates ---------------oOO--(_)--OOo-----------------------------------------------