On 9/23/05, John Marten <[EMAIL PROTECTED]> wrote:
> There's got to be a better way, and I'm open to suggestions.
This is really something well dealt with in the archives, so please
search those for other suggestions. I'm sure there are better options.
Personally, I use the following combination of lines:
pass in quick on $ext_if proto tcp from <beheer> to ($ext_if) \
port ssh flags S/SA keep state
pass in quick on $ext_if proto tcp from !<ssh-scan> to ($ext_if) \
port ssh flags S/SA keep state \
(max-src-conn-rate 10/10, overload <ssh-scan> flush global)
Combined with two tables ("beheer" for known administrator addresses
and "ssh-scan" for known offenders), this keeps most of my logs tidy.
Cheers,
Rogier
--
If you don't know where you're going, any road will get you there.
