On Wed, Jun 27, 2007 at 09:54:04PM -0700, Steve B wrote:
> The rule I've had in my pf.conf file to catch and block forceful SSH
> attempts no longer appears to be working. I see the entries in my authlog,
> but the IPs are no longer getting added to my table. I suspect I screwed
> something up, but so far I am at a loss to see where. Could someone pass
> another set of eyes over the relevant parts of my pf.conf?
>
> ## SSH Hackers - blocked IPs
> table <scanners> persist file "/etc/tables/scanners"
>
> ## Packet Filtering ##
> block quick from <scanners>
> block in all
>
> ## Pass SSH traffic ##
> pass in log on $ext_if inet proto tcp from any to any port = ssh flags S/SA
> keep state (source-track rule, max-src-conn 10, max-src-conn-rate 5/60,
> overload <scanners> flush global, if-bound, sr
> c.track 60)
'pass in log' suggests the solution; try to connect via SSH and let
tcpdump listen on pflog0.
Joachim
--
TFMotD: perlnewmod (1) - preparing a new module for distribution
