Hi I have rules like this one on the firewalls I manage:
pass in on $in_if proto tcp from any to <sshservers> port ssh \ flags S/SA keep state \ (source-track rule, max-src-states 30, max-src-conn 20, \ max-src-conn-rate 15/30, overload <ssh-bruteforce> flush global) block log from <ssh-bruteforce> However some legitimate remote users get their addresses added to the ssh-bruteforce table from time to time. I'd like to be able to figure out the reason (ie which condtion triggers the overload). Is there a way to have it logged somewhere that I'm missing ? Thanks in avance, -- Matthieu Herrb