John Marten wrote:
>You know what i mean? Every day I get some script kiddie, or adult
>trying to guess usernames or passwords.
>I've installed the newest version of SSH, so i'm covered there. But I
>still get a dozen or 2 of the
>"sshd Invalid user somename from ###.##.##.###"
>"input_userauth_request: ivalid user somename"
>"Failed password for invalid user somename"
>"Recieved disconnect from ###.##.##.###"
>Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
>from ###.##.##.### to any flags S/SA'
>entry in my pf.conf file. But if I had do that for every hacker my
>pf.conf would be huge!
>There's got to be a better way, and I'm open to suggestions.
>
>
You can try to limit the overly persistant number of incoming
connections. Or you can run SSH on a non-default port. Try the pf way
first with the max-src-conn-rate on all incoming connections. I think
it's like pass in quick on $external from any to any port $services
flags... etc keep state (max-src-conn-rate 100/10) or whatever you need.
Brandon
