On Fri, Sep 23, 2005 at 11:40:36AM -0700, John Marten wrote: > "input_userauth_request: ivalid user somename" > "Failed password for invalid user somename"
haven't read the entire thread yet, so doubtless this has come up, but i use: -- e = sis2 table <bad_hosts> persist { } pass in on $e inet proto tcp from any to (carp0:0) port 22 synproxy state flags S/SA tag IBSSH pass in log on $e tagged IBSSH keep state (max-src-conn-rate 10/90 overload <bad_hosts> flush global) block log quick from <bad_hosts> -- i decided upon that rate after seeing what kind of rate i would get the spam. most people seem to be trying at a rate of 1 attempt per 2-4 seconds, so maybe the default in the "program" is ~3. a couple of smart people seem to have adjusted that to 1 try per 10s. caveat is that i currently haven't implemented a way to expire entries out, however until you get something fancier tested/implemented, some simple pf action like that above might fly jared -- [ openbsd 3.8 GENERIC ( sep 10 ) // i386 ]