While also not what the OP specifically requested but a good option to consider in general is to use the overload option to allow PF to dynamically add abusing IPs to a table which is then blocked from ssh access. This is more for frequent TCP connections on port 22 (or any other) for brute force type activity. This is similar to but not the same as the fail2ban type scripts.
I get about 5-10 IP's added to my block table every day which is cleared daily via cron. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Alvaro Mantilla Gimenez Sent: Friday, December 18, 2009 5:31 PM To: Karl O. Pinc Cc: [email protected] Subject: Re: Restricting source with dDNS (dynamic DNS) El 18/12/2009, a las 12:20, "Karl O. Pinc" <[email protected]> escribió: > On 12/18/2009 10:16:44 AM, Peter N. M. Hansteen wrote: >> Jim Flowers <[email protected]> writes: >> >>> To lock down services (particularly ssh) as tightly as possible, I >> like to allow >>> administrative access to a firewall only from specific ip >> addresses. > >>> Unfortunately, some of the administrators are working from dynamic >> ip addresses >>> that change with some frequency. >>> >>> Is there a straightforward way to incorporate dynamic ip source >> addresses in the >>> pf ruleset? >> >> I'd say this sounds like a situation where authpf could come in quite >> handy. > > How? I thought authpf grants additional rights to those who > can ssh. But he wants to restrict those allowed to ssh period. > > If I remember well, sometime ago somebody did a port knocking program and he asked in the OpenBSD misc list about to include it into the ports tree. He had very bad responses and a very ugly discussion. All the people involved into the discussion ( I wasn't ) didn't understood special cases like this: if you want to "close" ssh access from the world and let some people open ports for administration, maintenance, or whatever you want then authpf is not a solution but port knocking is. Google about that and you see your solution there. You can, for example, define a port combination to execute some script to send you a sms with the status of one specifical service and/or another to open, for the IP which is doing the combination (of course), the redirection port to the SWAT (samba web administration) in one specifical server so you can define different port combinations for different groups of users... Google it. Regards, Alvaro
