Lars NoodC)n wrote:
I suppose another option is to use pf to filter out all incoming traffic
to the servers originating from Windows computers maybe except to
relevant services like http port or https. If we could see a blanket
ban on connecting Windows machines to the net, things would improve
drastically.
Regards
-Lars
In the case of ssh these days, it seems to be nearly 100% zombied Linux
machines sourcing the attacks. I use a combination of overload and a
"Linux" os block and I only have about 1-3 attackers a month that make
it past the os block, then they get snared in the overload after their
six tries.
block drop log quick on $ext_if proto tcp from any os "Linux" to any
port ssh label "Block ssh from Linux hosts"
block drop log quick on $ext_if from <ssh-bruteforce>
pass in on $ext_if proto tcp from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 6/60, overload <ssh-bruteforce> flush global)
YMMV. If you actually need to connect to your machines from linux, then
exceptions will have to be made.
