--Bill
On 7/26/06, Peter Allgeyer
<[EMAIL PROTECTED]> wrote:
Hi,
just want to know if there are any plans on generating more specialized
tables for limiting access of brute force attacks. At the moment an
attackers IP address is globally blocked by one rule (see below), if he
exceeds the limit of connections per timeslot:
block in quick from <virusprot> to any label "virusprot overload table"
What I want, is something like this:
block in quick proto tcp from <virusprot> to any port 22 label
"virusprot overload table"
Advantage is, that only the desired service is blocked, not the whole
IP-address. Useful for example, if the attacker is behind a NAT device,
so that SSH is being blocked, while web access or ICMP echo requests are
still possible.
There's another table for <sshlockout>, but it's not referenced anywhere
in a ruleset. Don't know, if useful for anything, nor if it's a stub
already for a general solution to SSH brute force attacks.
BR,
PIT
---------------------------------------------------------------------------
copyleft(c) by | We are MicroSoft. You will be
Peter Allgeyer | _-_ assimilated. Resistance is futile. --
| 0(o_o)0 Attributed to B.G., Gill Bates
---------------oOO--(_)--OOo-----------------------------------------------
