From owner-freebsd-security@FreeBSD.ORG  Sun Sep 26 08:33:04 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 54A0416A4CE
	for <freebsd-security@freebsd.org>;
	Sun, 26 Sep 2004 08:33:04 +0000 (GMT)
Received: from mproxy.gmail.com (rproxy.gmail.com [64.233.170.201])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0D4BD43D3F
	for <freebsd-security@freebsd.org>;
	Sun, 26 Sep 2004 08:33:04 +0000 (GMT)
	(envelope-from david.downey@gmail.com)
Received: by mproxy.gmail.com with SMTP id 79so3085326rnk
	for <freebsd-security@freebsd.org>;
	Sun, 26 Sep 2004 01:33:03 -0700 (PDT)
Received: by 10.38.163.10 with SMTP id l10mr17725rne;
        Sun, 26 Sep 2004 01:33:02 -0700 (PDT)
Received: by 10.38.82.69 with HTTP; Sun, 26 Sep 2004 01:33:02 -0700 (PDT)
Message-ID: <6917b78104092601339f77948@mail.gmail.com>
Date: Sun, 26 Sep 2004 04:33:02 -0400
From: "David D.W. Downey" <david.downey@gmail.com>
To: Alex de Kruijff <freebsd@akruijff.dds.nl>
In-Reply-To: <20040924214909.GA784@alex.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <414C2798.7060509@withagen.nl>
	 <6917b781040918103077c76f0c@mail.gmail.com>
	 <20040924214909.GA784@alex.lan>
cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@freebsd.org>
Subject: Re: Attacks on ssh port
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "David D.W. Downey" <david.downey@gmail.com>
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Sep 2004 08:33:04 -0000

On Fri, 24 Sep 2004 23:49:09 +0200, Alex de Kruijff
<freebsd@akruijff.dds.nl> wrote:
> >
> > Then you can still see the attempts (and thus log the IP information
> > for contacting the abuse@ for the responsible IP controller) while
> > limiting your log sizes.
>
> This only logs the first tree catches (when the log attribuut is set)
> per rule. You may want to set this a little higher like 100.
>

while I agree my example of 3 was low (meant only to instruct) I would
say more along the lines of 25. if someone is hitting you 25 times in
a row and getting tagged by that rule, you can bet your butt it's not
a client of your's.

-- 
David D.W. Downey