On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: > Right now someone is trying out each IP address I have > with an ssh attack. Only one of those IP addresses is > enabled for ssh. I have a "(max-src-conn-rate 100/10, > overload <bad_guys> flush global)" on that address. > > I would like to know how to get pf to note these > other atempts and block the sender. To me the obvious > would be > > block in on Outsize proto tcp port ssh flags S/SA > state (max-src-conn-rate 100/10, overload <bad_hosts> flush global) > > This does not work. One gets a message that keeping state on > a blocked run makes no sense.
You already have or will get answers to your question. Having gone through this myself I'll propose something else: secure your machines and forget about the ssh scanners. I blocked these guys by various means and watched what happened for a while. Sometimes there were lots of scans and other times there were only a few per day. But they were all hit and run scans, from IPs all over the place. You're going to fill your tables with IPs that aren't coming back. Pf does a fine job with tables, and my boxes never got slow or low on memory. But why waste resources for nothing? At that point you're really doing the same job as pflog. I ended up using a table for IPs allowed to ssh, others are blocked. -- Darrin Chandler | Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
