Hi everyone, I don't know how many of you have noticed this, but my mailserver has become the victim of what seems to be a new kind of dictionary attack. I'm seeing connections from literally hundreds of different hosts, working as an evident botnet, that connect via ssh and try various passwords. While I'm not terribly concerned with the password strength of most users who have ssh access (it's not many either), I'm still very irritated by this. What makes this a challenge to stop or block is the fact that each specific host only attempts to connect once every 4-5 hours usually, though in rare instances, it will connect every 1.5-2 hours.
What I've done this morning on the machine running pf to try and get this under control is setup a max-src-conn-rate rule of 2/4000, and setup a redirect from the firewall/router running openbsd/pf to the mailserver with a pass rule so that I don't get blocked out of it myself! (Though the mailserver is behind a router, it has a routable IP, making this option viable). My question is, will this seemingly HUGE time interval even work in pf? Has anyone else seen this sort of thing, and what have you done to mitigate this? For the record, I know about ssh keys, and it's in fact setup on other machines, but for various reasons, I can't enable it just yet on this one.
