* Steve Williams <[EMAIL PROTECTED]> [050630 05:03]:
> Hi,
>
> I am running OpenBSD 3.7-stable, pretty standard install, spamd
> greylisting, httpd, sendmail. Going over my log files, I have noticed
> that I am more and more coming under attach with dictionary based login
> attempts to the SSH port.
>
> I tried to search the mail list, but I can't seem to find any magic
> combination of words that would reveal the secret to me. Reading
> pf.conf(5) didn't shed any light either..
>
> Tonight I got 800+ attempts from the same IP. I played with manually
> blocking the IP, but it was over before I got the firewall rules written
> and looked over them twice.
>
> Is there any way to block/limit the number of connections to a port in a
> given time period? I was getting around 5 connects per second from the
> same IP/PORT (in Hungary :-( ).
>
> I can't think how this would work... unless there was a generic program
> like spamd in greylisting mode... But I'm not the first person to have
> this problem, so there's likely a solution! Can anyone shed some light?
>
> Cheers,
> Steve Williams
>
Check into configuring pf to use connection rate limiting and black
listing.
from pf.conf(5)
max-src-conn-rate _number_ / _seconds_
Limit the rate of new connections over a time interval. The
connection rate is an approximation calculated as a moving
average.
Check the archives for examples of this in conjuction with a table. Or
take a look at this article at Undeadly:
http://www.undeadly.org/cgi?action=article&sid=20041231195454
Jim
