I was thinking of redirecting all the ssh attacks to spamd. spamd is a program that is used to having bad guy attaching it, so it should not effect the security. Then using the max-src-conn-rate to block them.
My actual problem is less with ssh then the Microsoft vpn. I trust the people who have ssh connections to have good passwords, It the people with vpn connections that I don't trust. And I of course would do the same trick with the vpn port. For an aside, I have wondered why the bad guys use user names like bob, john, sally. If I was going to be a bad guy I think I would get a cheap mailing list and use the email address names, as my attacking user ids. Matthias Kilian wrote: > On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote: >> Expect I was not clear. >> >> Someone is attacking address 1, address 2, address 3, those >> address are all blocked with respect to ssh. , but because he >> is attacking those addresses, I want to stop an expected attack >> on address 4. I never want to pass ssh on address 1, address 2 >> or address 3 ever, I want to use the information that someone >> was trying to ssh to those address to identify person as >> an attacker. > > Oh, sorry for not reading exactly. > > So your problem is that you want to get state for ssh connection > attempts to addresses 1, 2 and 3 but at the same time want to block > those connections. This isn't possible (no connection - no state). > > (QUICK HACK ALERT) > > But it may be possible to redirect those connections to some unused > port on localhost (i.e. the firewall) let something listen on this > port, accept everything but immediately closing the connection. > Then use a simple pass rule with overload and max-src-conn options > to add offending addresses to your table. > > Ciao, > Kili > > ps: I didn't test the above, so if it's complete nonsense, feel > free to flame me.
