On Mon, 1 Nov 2010 07:30:50 -0700, onteria wrote > I was checking my authlog today and noticed the following series of > brute force login attempts: > > Nov 1 01:37:04 solar sshd[8173]: Failed password for root from > 58.211.1.163 port 8895 ssh2 > Nov 1 01:37:04 solar sshd[10692]: Received disconnect from > 58.211.1.163: 11: Bye Bye > Nov 1 01:37:06 solar sshd[6273]: Failed password for root from > 58.211.1.163 port 9052 ssh2 > Nov 1 01:37:06 solar sshd[21047]: Received disconnect from > 58.211.1.163: 11: Bye Bye > > First off login as root is disabled, so not much they can do here, > but I'd like to try and setup up some kind of throttling protection for > these sorts of attacks. Unfortunately they keep changing ports, so > the traditional port 22 protection isn't going to work.
You are confusing the origination port numbers, which can be any random port number, with the destination port number -- the destination port number is the port your server is listening on, and that will be 22 by default. Throttle with PF's stateful tracking options -- see the examples of using "overload" with "flush" in the PF User's Guide -- Packet Filtering chapter.
