On Fri, Mar 05, 2010 at 05:54:50PM +0100, Matthias Fechner wrote: > Hi, > > Am 05.03.10 17:01, schrieb Matthew Seaman: > >table <ssh-bruteforce> persist > >[...near the top of the rules section...] > >block drop in log quick on $ext_if from<ssh-bruteforce> > > > >[...later in the rules section...] > >pass in on $ext_if proto tcp \ > > from any to $ext_if port ssh \ > > flags S/SA keep state \ > > (max-src-conn-rate 3/30, overload<ssh-bruteforce> flush global) > > > > that is dangarous, if you use subversion over ssh you will sometimes get > more then 10 requests in 30 seconds. > That means you will also block users they are allowed to connect.
OK - that's good to know - but I'm not using subversion at this time, and this is working nicely so far. I've already picked off one hacker. # pfctl -t ssh-bruteforce -T show No ALTQ support in kernel ALTQ related functions disabled 218.56.61.114 Mar 5 10:40:05 elwood sshd[18452]: Invalid user test from 218.56.61.114 Mar 5 10:40:10 elwood sshd[18457]: Invalid user admin from 218.56.61.114 Apparently got him on the third attempt, just as advertised. -- John Lind j...@starfire.mn.org The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries. - Winston Churchill _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"