Hi
I have rules like this one on the firewalls I manage:
pass in on $in_if proto tcp from any to <sshservers> port ssh \
flags S/SA keep state \
(source-track rule, max-src-states 30, max-src-conn 20, \
max-src-conn-rate 15/30, overload <ssh-bruteforce> flush
global)
block log from <ssh-bruteforce>
However some legitimate remote users get their addresses added to the
ssh-bruteforce table from time to time.
I'd like to be able to figure out the reason (ie which condtion
triggers the overload). Is there a way to have it logged somewhere
that I'm missing ?
Thanks in avance,
--
Matthieu Herrb
