Another option is to do something like:
STATE_LIMIT="(source-track rule, max-src-nodes 75, max-src-states 3)"
...
$NET0_IN inet proto tcp from any to $RAS port ssh flags $tcpInit \
keep state $STATE_LIMIT
Garance A Drosihn wrote:
At 12:16 AM +0200 7/19/05, Romain GAILLEGUE wrote:
Today, I look in my log file and just before an attack i see
that there is this kind of line :
Jul 18 22:40:51 llaw sshd[15543]: Did not receive identification string
from 80.57.221.58
so with swatch and pf (for example) it's possible to block this
ip for some hours just before the attack.
I looked over some records I have from a few hosts, and while that
error did pop up for some attacks, it did not pop up for other
attacks. So, while that is an interesting indicator of a possible
attack, you will still have to handle attacks which will not
give you that advance warning.
Also, in some cases that advance warning showed up less than 20
minutes before the attack, so you can't assume that you will have
hours to react even if you do see the warning.
--
John R. Shannon
[EMAIL PROTECTED]
