From owner-freebsd-pf@FreeBSD.ORG Thu Feb 10 14:09:26 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67C18106566B for ; Thu, 10 Feb 2011 14:09:26 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id EF0A98FC13 for ; Thu, 10 Feb 2011 14:09:25 +0000 (UTC) Received: by bwz12 with SMTP id 12so2040414bwz.13 for ; Thu, 10 Feb 2011 06:09:24 -0800 (PST) Received: by 10.204.57.13 with SMTP id a13mr1795137bkh.75.1297346964621; Thu, 10 Feb 2011 06:09:24 -0800 (PST) Received: from dfleuriot.local ([83.167.62.196]) by mx.google.com with ESMTPS id z18sm32664bkf.8.2011.02.10.06.09.23 (version=SSLv3 cipher=OTHER); Thu, 10 Feb 2011 06:09:23 -0800 (PST) Message-ID: <4D53F192.2070004@my.gd> Date: Thu, 10 Feb 2011 15:09:22 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Vadym Chepkov References: <4D51A061.20704@sentex.net> <4D5265AF.4060600@my.gd> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 14:09:26 -0000 On 2/9/11 10:00 PM, Vadym Chepkov wrote: > > > On Feb 9, 2011, at 5:00 AM, Damien Fleuriot wrote: > >> Looks like my previous message didn't make it to the list. >> >> >> @OP: nothing indicates that your table is getting populated correctly. >> >> While this doesn't address your main issue, you may want to install >> sshguard which will automatically blacklist attackers and populate a >> dedicated table. >> > > > Thanks for the suggestion, but as you said, it's a workaround. > I'd rather try to understand why something that suppose to work, does not. > Because this is something I have visibility to. What if something else doesn't work as expected and I blindly trust it? > > Vadym > >From one of your other messages in the thread, you seem to be afraid of lowering the PF limits too much that it would blacklist you too. With sshguard you could whitelist your own IPs, while configuring it to blacklist people after 5 failed attempts in a minute for example. That would achieve what you want to do here with the overload directive.