From owner-freebsd-questions@FreeBSD.ORG Mon May 3 16:42:06 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BA7F81065680 for ; Mon, 3 May 2010 16:42:06 +0000 (UTC) (envelope-from ahamiltonwright@mta.ca) Received: from smtpx.mta.ca (smtpx.mta.ca [138.73.1.138]) by mx1.freebsd.org (Postfix) with ESMTP id 7971B8FC20 for ; Mon, 3 May 2010 16:42:06 +0000 (UTC) Received: from [138.73.29.51] (port=49173 helo=qemg.org) by smtpx.mta.ca with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.71) (envelope-from ) id 1O8yiZ-0001yq-Rh; Mon, 03 May 2010 13:42:03 -0300 Date: Mon, 3 May 2010 13:42:02 -0300 (ADT) From: Andrew Wright To: John In-Reply-To: <20100503144110.GA14402@elwood.starfire.mn.org> Message-ID: References: <20100503144110.GA14402@elwood.starfire.mn.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Sender: ahamiltonwright@mta.ca Cc: "freebsd-questions@freebsd.org" Subject: Re: pf suggestions for paced attack X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 May 2010 16:42:06 -0000 On Mon, 3 May 2010, John wrote: > The script kiddies have apparently figured out that we use some > time-window sensitivity in our adaptive filtering. From sshd, I've [ ... deletia ... ] > Anybody got any superior suggestions? I've been running a script using tail -F to watch /var/log/auth.log to count total number of failures, and ix-nay anyone who reaches 10 fluffed attempts in 24 hours; this is managed by using pfctl to update the relevant table. It has worked pretty well for me over the last three or so years, and is immune to the current longer timeouts that you mention. If anyone is interested, I can send (or I suppose post) the scripts. Andrew