My previous reply was cut by some unknown reason, let me try again.
On Sun, 26 Jun 2005, Henrik Gustafsson wrote:
Hi!
As a response to an idea posted in pf@ the other day I wrote this
utility for removing pf table entries based on their age. It has now
been somewhat tested and updated, and so I figured it would be good to
make it available to a larger group of people for testing on a larger
scale.
I've been using this on a machine for atleast a week now, trying to fend
off ssh bruteforce attempts. Works perfectly with pf rules like these:
block in quick on $ext_if from <ssh-bruteforce>
.
.
pass in on $ext_if inet proto tcp from any to ($ext_if) port 22 \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
I'm then purging entries older than one hour from the ssh-bruteforce
table, using the above named utility run from cron every five minutes.
This is imho a lot nicer then solutions based on modifying and patching
the ssh daemon.
/Johan
