Sorry, I didn't fully comprehend you e-mail (that's what I get for
reading my openbsd mail at work!) the first time around.
Have you attempted to write a script that gets the network address for
a host via `whois` and start expanding the "blacklist"?
For instance, monitor your logs for repeated attempts, and add that IP
to a list. Then "grow" your denial subnet. Start denying traffic
from the \30 network around that address, then up it to \29, then \28,
etc etc until you've effectively cut out the offending network.
The problem is that the offender my have a \26 network, but their IP
is part of a \16 network that has been privately subnetted. So it's
difficult to say "ok, jerk.com has xxx.yyy.zzz.xyz IP, and that
belongs to xxx.yyy\16 network, so I'll block out all 65 thousand
addresses."
On 7/6/06, Peter Blair <[EMAIL PROTECTED]> wrote:
Something like:
pass in quick on $ext_if from { $friendly_networks } to any port ssh keep state
block in on $ext_if from any to any port ssh
should work. You can place "$friendly_networks" into a table that
gets loaded from a file if the list is large. And/or update it via
pftcl on the fly.
On 7/6/06, Bharj, Gagan <[EMAIL PROTECTED]> wrote:
> Hello Folks,
>
> Our server is getting hammered on a daily basis by IPs trying to open an ssh
> session. Currently, I'm manually putting the subnets (in a pf table) that are
> repeatedly trying to get in. As you can see, this list will eventually get
> very big and will be unmaintainable. Is there any way that I can say only
> allow IP addresses from particular ISPs or domains?
>
> Regards,
> Gagan
