Nicolas Morey-Chaisemartin wrote:
Hello guys,
I am currently working on a program that parse the auth.log and add a
rule to ipfw to ban IP that had too many failed connections attemps.
It this way may block all brute force attack on SSH.
I haven't find any port doing the same. is there any?
Just tell me if you are interested.
There seems to be some confusion. OpenBSD uses pf, not ipfw. If you are
using pf, you don't need any extra software to block brute-force
attacks, just use something like this (these lines get scattered to the
correct places in pf.conf; see man pf, or any of several tutorials on
the web)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp from any to egress port 22 \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
the max-src-conn-rate overload is of course the part that does the blocking.
If you are in fact using ipfw, you'll have more luck on a more
appropriate mailing list!
