On Fri, Feb 16, 2007 at 11:00:20AM -0500, Josh Grosse wrote: > On Fri, Feb 16, 2007 at 04:50:10AM +0000, John wrote: > > ...What i'd like is to > > allow max 2 failures from one IP in 30 seconds, if more than that write > > to /etc/shitlist.txt which, if the connecting IP is found in there, logs > > and silently drops the connection. Can pf do this? > > Yes, it can do this, depending on your release/version. Here is an > example of 3 attempts in 30 seconds which places the IP address into > an "ssh-attackers" table, and flushes all existing states for that IP from > the state table: > > pass in proto tcp from any to any port ssh \ > keep state (max-src-conn-rate 3/30, \ > overload <ssh-attackers> flush global) >
Thank you to all who replied. I've got something to get my teeth into now :) I should have mentioned at the start, I'm running 4.0-stable. -- John
