<snip> > Tonight I got 800+ attempts from the same IP. I played with manually > blocking the IP, but it was over before I got the firewall rules written > and looked over them twice. > > Is there any way to block/limit the number of connections to a port in a > given time period? I was getting around 5 connects per second from the > same IP/PORT (in Hungary :-( ).
<snip> Well, we've got a different solution to this same problem. A custom daemon was written in C and is being executed on the server machine. Everytime a user/client needs to SSH from a uncommon place, not beloging to a local sshable client table, the user needs to connect to a the specific port on which the daemon is listening to. The server then adds the remote IP to the sshable pf table. Once the user finishes the job, a new connection is made to another port and the server removes the remote IP from the pf table. It's a bit weird, but we completely solved this annoying problem of dictionary attacks. Since no data travels on the wire (the daemon closes the connection right after accepting it), it is fairly secure.
