Lars NoodC)n wrote:
I suppose another option is to use pf to filter out all incoming traffic to the servers originating from Windows computers maybe except to relevant services like http port or https. If we could see a blanket ban on connecting Windows machines to the net, things would improve drastically. Regards -Lars
In the case of ssh these days, it seems to be nearly 100% zombied Linux machines sourcing the attacks. I use a combination of overload and a "Linux" os block and I only have about 1-3 attackers a month that make it past the os block, then they get snared in the overload after their six tries. block drop log quick on $ext_if proto tcp from any os "Linux" to any port ssh label "Block ssh from Linux hosts" block drop log quick on $ext_if from <ssh-bruteforce> pass in on $ext_if proto tcp from any to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 6/60, overload <ssh-bruteforce> flush global) YMMV. If you actually need to connect to your machines from linux, then exceptions will have to be made.