Dear Nick
I have tried your setup below. I too have the setup and file placement
as you, but I am not using keys.
When I try to log on as an illegal user, the atempt is logged by
authlog, and having swatch runing from the console it says:
1/1 addresses added.
I am using this 'table <sshdtrolls> persist file "/root/pf/sshdhackers"'
I don't get any entries in the sshdhackers file and I don't get blocked
from the system.
I also use AllowUsers
Would you mind explaining a bit more about your setup?
Friendly
Rico.
Nick Ryan wrote:
What you could also do is install swatch from ports or packages and have
a table in your pf.conf like this:
table <sshdtrolls> persist
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from <sshdtrolls> to
$EXT_IF port ssh label "SSHDTrolls"
A swatchrc file of:
watchfor /Failed password for invalid user/
exec /sbin/pfctl -t sshdtrolls -T add $13
[EMAIL PROTECTED], --subject=woo. we have a troll
throttle 02:00
exec echo $13 >> /root/swatchlog
Then run swatch with:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog &
(Note file locations and settings might need to be changed depending on
your config)
I also have the AllowUsers and use PubKeyAuthentication and
PasswordAuthentication No settings enabled in sshd_config. This means
that for a normal login the error "Failed password for invalid user"
won't come up as it'll never get that far as it's expecting a key.
If a troll tries to log in, they get one chance before the swatch picks
it up and adds it to the block table.
.