On Fri, Jan 11, 2008 at 10:51:41AM +0000, Stuart Henderson wrote: > On 2008/01/11 12:33, Lars Noodin wrote: > > > > I suppose another option is to use pf to filter out all incoming traffic > > to the servers originating from Windows computers > > you can take a look for yourself with tcpdump -O, but I think you'll > find the ssh scans are more likely to be from some variety of unix. > > an inclusive match is usually better e.g. > pass proto tcp from any os "OpenBSD" to port ssh
that could be less useful if you have ipv6 connections in, no? since pf.os(5) claims only to be able to fingerprint hosts "that originate an IPv4 TCP connection". but maybe the ssh client will fall back to using ipv4 if it meets that. i am unsure. jmc
