On Fri, Feb 16, 2007 at 04:50:10AM +0000, John wrote: > ...What i'd like is to > allow max 2 failures from one IP in 30 seconds, if more than that write > to /etc/shitlist.txt which, if the connecting IP is found in there, logs > and silently drops the connection. Can pf do this?
Yes, it can do this, depending on your release/version. Here is an
example of 3 attempts in 30 seconds which places the IP address into
an "ssh-attackers" table, and flushes all existing states for that IP from
the state table:
pass in proto tcp from any to any port ssh \
keep state (max-src-conn-rate 3/30, \
overload <ssh-attackers> flush global)
pgpI1TYx3o9IG.pgp
Description: PGP signature
