On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote:
> "input_userauth_request: ivalid user somename"
> "Failed password for invalid user somename"
haven't read the entire thread yet, so doubtless this has
come up, but i use:
--
e = sis2
table <bad_hosts> persist { }
pass in on $e inet proto tcp from any to (carp0:0) port 22 synproxy state flags
S/SA tag IBSSH
pass in log on $e tagged IBSSH keep state (max-src-conn-rate 10/90 overload
<bad_hosts> flush global)
block log quick from <bad_hosts>
--
i decided upon that rate after seeing what kind of rate i would
get the spam.
most people seem to be trying at a rate of 1 attempt per 2-4 seconds,
so maybe the default in the "program" is ~3. a couple of smart people
seem to have adjusted that to 1 try per 10s.
caveat is that i currently haven't implemented a way to expire entries
out, however until you get something fancier tested/implemented,
some simple pf action like that above might fly
jared
--
[ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]
