* Steve Williams <[EMAIL PROTECTED]> [050630 05:03]: > Hi, > > I am running OpenBSD 3.7-stable, pretty standard install, spamd > greylisting, httpd, sendmail. Going over my log files, I have noticed > that I am more and more coming under attach with dictionary based login > attempts to the SSH port. > > I tried to search the mail list, but I can't seem to find any magic > combination of words that would reveal the secret to me. Reading > pf.conf(5) didn't shed any light either.. > > Tonight I got 800+ attempts from the same IP. I played with manually > blocking the IP, but it was over before I got the firewall rules written > and looked over them twice. > > Is there any way to block/limit the number of connections to a port in a > given time period? I was getting around 5 connects per second from the > same IP/PORT (in Hungary :-( ). > > I can't think how this would work... unless there was a generic program > like spamd in greylisting mode... But I'm not the first person to have > this problem, so there's likely a solution! Can anyone shed some light? > > Cheers, > Steve Williams >
Check into configuring pf to use connection rate limiting and black listing. from pf.conf(5) max-src-conn-rate _number_ / _seconds_ Limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average. Check the archives for examples of this in conjuction with a table. Or take a look at this article at Undeadly: http://www.undeadly.org/cgi?action=article&sid=20041231195454 Jim