From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 16:55:12 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56B0E1065674 for ; Fri, 5 Mar 2010 16:55:12 +0000 (UTC) (envelope-from idefix@fechner.net) Received: from anny.lostinspace.de (anny.lostinspace.de [IPv6:2a01:138:a006::2]) by mx1.freebsd.org (Postfix) with ESMTP id C07EC8FC33 for ; Fri, 5 Mar 2010 16:55:11 +0000 (UTC) Received: from server.idefix.lan (ppp-88-217-56-106.dynamic.mnet-online.de [88.217.56.106]) (authenticated bits=0) by anny.lostinspace.de (8.14.3/8.14.3) with ESMTP id o25Gt3M1051186 for ; Fri, 5 Mar 2010 17:55:08 +0100 (CET) (envelope-from idefix@fechner.net) Received: from server.idefix.lan (unknown [127.0.0.1]) by server.idefix.lan (Postfix) with ESMTP id C0BBE1C04 for ; Fri, 5 Mar 2010 17:55:03 +0100 (CET) X-Virus-Scanned: amavisd-new at server.idefix.lan Received: from server.idefix.lan ([127.0.0.1]) by server.idefix.lan (server.idefix.lan [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jg6Q2Lh8uZ0M for ; Fri, 5 Mar 2010 17:54:56 +0100 (CET) Received: from matthias-fechners-macbook.local (tmo-099-155.customers.d1-online.com [80.187.99.155]) by server.idefix.lan (Postfix) with ESMTPA id 12E5C1BF2 for ; Fri, 5 Mar 2010 17:54:55 +0100 (CET) Message-ID: <4B91375A.4020503@fechner.net> Date: Fri, 05 Mar 2010 17:54:50 +0100 From: Matthias Fechner User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; de; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <20100305154439.GA17456@elwood.starfire.mn.org> <4B912ADC.1040802@infracaninophile.co.uk> In-Reply-To: <4B912ADC.1040802@infracaninophile.co.uk> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (anny.lostinspace.de [80.190.182.2]); Fri, 05 Mar 2010 17:55:08 +0100 (CET) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,UNPARSEABLE_RELAY autolearn=ham version=3.3.0 X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on anny.lostinspace.de Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 16:55:12 -0000 Hi, Am 05.03.10 17:01, schrieb Matthew Seaman: > table persist > [...near the top of the rules section...] > block drop in log quick on $ext_if from > > [...later in the rules section...] > pass in on $ext_if proto tcp \ > from any to $ext_if port ssh \ > flags S/SA keep state \ > (max-src-conn-rate 3/30, overload flush global) > that is dangarous, if you use subversion over ssh you will sometimes get more then 10 requests in 30 seconds. That means you will also block users they are allowed to connect. Gruss, Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook