From: Peter Fraser (pjfthinkage.ca)
Date: Wed May 31 2006 - 14:15:34 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Expect I was not clear.

Someone is attacking address 1, address 2, address 3, those
address are all blocked with respect to ssh. , but because he
is attacking those addresses, I want to stop an expected attack
on address 4. I never want to pass ssh on address 1, address 2
or address 3 ever, I want to use the information that someone
was trying to ssh to those address to identify person as
an attacker.

-----Original Message-----
From: Matthias Kilian [mailto:kilioutback.escape.de]
Sent: Wednesday, May 31, 2006 3:02 PM
To: Peter Fraser
Cc: miscopenbsd.org
Subject: Re: "ssh" attacks

On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote:
> block in on Outsize proto tcp port ssh flags S/SA
> state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
>
> This does not work. One gets a message that keeping state on
> a blocked run makes no sense.

See the example on overload at
http://www.openbsd.org/faq/pf/filter.html#stateopts

Basically, you pass and just block verything from <bad_hosts> in a
separate rule.

Ciao,
        Kili

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]