I blocked these guys by various means and watched what happened for a while. Sometimes there were lots of scans and other times there were only a few per day. But they were all hit and run scans, from IPs all over the place. You're going to fill your tables with IPs that aren't coming back. Pf does a fine job with tables, and my boxes never got slow or low on memory. But why waste resources for nothing? At that point you're really doing the same job as pflog.I ended up using a table for IPs allowed to ssh, others are blocked.
This has been asked before, and I tried many of the suggestions given
especially with pf (max-src-conn). But the simplest way to stop this,
is to change your ssh port. You can do all that tweaking in pf but your
logs will still show that someone tried, just that your logs will be
smaller. But change the port and you'll see no attempts whatsoever.
This is my experience. I agree with what this guy below says. I too
ended up only allowing certain IP addresses to ssh into my servers but
this is troublesome when you're at a new location and that location has
a dynamic address. I ultimately changed the port number and the only
inconvenience to me was remembering the new port number.
- Re: "ssh" attacks Smith
- Re: "ssh" attacks Tobias Ulmer
- Re: "ssh" attacks Alexander Hall
- Re: "ssh" attacks Joakim Aronius
- Re: "ssh" attacks Jason Stubbs
- Re: "ssh" attacks Joachim Schipper
- Re: "ssh" attacks Peter Fraser
- Re: "ssh" attacks knitti