If these attempts all come from the same source, why not filter that ip at the gateway level. What legit use does this person have on your network on any port, much less ssh?
On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote: > Expect I was not clear. > > Someone is attacking address 1, address 2, address 3, those > address are all blocked with respect to ssh. , but because he > is attacking those addresses, I want to stop an expected attack > on address 4. I never want to pass ssh on address 1, address 2 > or address 3 ever, I want to use the information that someone > was trying to ssh to those address to identify person as > an attacker. > > > -----Original Message----- > From: Matthias Kilian [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 31, 2006 3:02 PM > To: Peter Fraser > Cc: misc@openbsd.org > Subject: Re: "ssh" attacks > > On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: > > block in on Outsize proto tcp port ssh flags S/SA > > state (max-src-conn-rate 100/10, overload <bad_hosts> flush global) > > > > This does not work. One gets a message that keeping state on > > a blocked run makes no sense. > > See the example on overload at > http://www.openbsd.org/faq/pf/filter.html#stateopts > > Basically, you pass and just block verything from <bad_hosts> in a > separate rule. > > Ciao, > Kili
