On Wed, Jun 27, 2007 at 09:54:04PM -0700, Steve B wrote: > The rule I've had in my pf.conf file to catch and block forceful SSH > attempts no longer appears to be working. I see the entries in my authlog, > but the IPs are no longer getting added to my table. I suspect I screwed > something up, but so far I am at a loss to see where. Could someone pass > another set of eyes over the relevant parts of my pf.conf? > > ## SSH Hackers - blocked IPs > table <scanners> persist file "/etc/tables/scanners" > > ## Packet Filtering ## > block quick from <scanners> > block in all > > ## Pass SSH traffic ## > pass in log on $ext_if inet proto tcp from any to any port = ssh flags S/SA > keep state (source-track rule, max-src-conn 10, max-src-conn-rate 5/60, > overload <scanners> flush global, if-bound, sr > c.track 60)
'pass in log' suggests the solution; try to connect via SSH and let tcpdump listen on pflog0. Joachim -- TFMotD: perlnewmod (1) - preparing a new module for distribution