I have a question about this.. Will NEW offenders be added to /etc/tables/scanners as they are discovered and therefore not just remain in kernel?
It would be nice since doing a reboot wipes out kernel kept IPs... table <scanners> persist file "/etc/tables/scanners" vs table <scanners> persist Thanks :) -JD >Date: Thu, 28 Jun 2007 01:39:37 -0400 >From: Daniel Ouellet <[EMAIL PROTECTED]> >User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) >To: OpenBSD <misc@openbsd.org> >Subject: Re: SSH brute force attacks no longer being caught by PF rule >Sender: [EMAIL PROTECTED] > >Steve B wrote: >>The rule I've had in my pf.conf file to catch and block forceful SSH >>attempts no longer appears to be working. I see the entries in my authlog, >>but the IPs are no longer getting added to my table. I suspect I screwed >>something up, but so far I am at a loss to see where. Could someone pass >>another set of eyes over the relevant parts of my pf.conf? > >Put quickly as an example, but you can try: > ># Define some variable for clarity >SSH_LIMIT="(max-src-conn-rate 3/30, overload <scanners> flush global)" > >## SSH Hackers - blocked IPs >table <scanners> persist file "/etc/tables/scanners" > ># Block ssh access to bad ssh scanner >block drop in log quick on $ext_if inet proto tcp \ > from <scanners> to any port ssh > ># Allow quick valid traffic to ssh but log all attempts as well >pass in log quick on $ext_if inet proto tcp from ! <scanners> \ > to $ext_if port ssh flags S/SA keep state \ > $SSH_LIMIT > >You may also want to add a section to always make sure you will have >SSH access to your box before you block all SSH access like you did >should someone spoof your source IP to log yourself out as well with >may be something like: > ># Allow quick ssh access to good guys on main interface. >pass in quick on $ext_if inet proto tcp from <goodguys> \ > to $ext_if port ssh flags S/SA keep state > >Daniel