From owner-freebsd-pf@FreeBSD.ORG  Mon May 26 16:31:42 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 37C521065675
	for <freebsd-pf@freebsd.org>; Mon, 26 May 2008 16:31:42 +0000 (UTC)
	(envelope-from peter@bsdly.net)
Received: from skapet.bsdly.net (cl-426.sto-01.se.sixxs.net
	[IPv6:2001:16d8:ff00:1a9::2])
	by mx1.freebsd.org (Postfix) with ESMTP id E0E2B8FC2B
	for <freebsd-pf@freebsd.org>; Mon, 26 May 2008 16:31:41 +0000 (UTC)
	(envelope-from peter@bsdly.net)
Received: from thingy.bsdly.net
	([10.168.103.11] helo=thingy.bsdly.net.bsdly.net ident=peter)
	by skapet.bsdly.net with esmtp (Exim 4.69)
	(envelope-from <peter@bsdly.net>) id 1K0fbo-00020e-Cw
	for freebsd-pf@freebsd.org; Mon, 26 May 2008 18:31:40 +0200
To: freebsd-pf@freebsd.org
References: <abc784790805251820x62a763aem67d262b1a103f41c@mail.gmail.com>
From: peter@bsdly.net (Peter N. M. Hansteen)
Date: Mon, 26 May 2008 18:31:39 +0200
In-Reply-To: <abc784790805251820x62a763aem67d262b1a103f41c@mail.gmail.com>
	(John .'s message of "Mon, 26 May 2008 02:20:45 +0100")
Message-ID: <87mymdm3h0.fsf@thingy.bsdly.net>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: auto-blackholing/blacklisting on multiple hacking attempts
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 May 2008 16:31:42 -0000

"John ." <comp.john@googlemail.com> writes:

> I'd like it to be so that if an IP tries to connect to sshd more than
> once in a 30 second period, that they are immediately blackholed.
> Should I be using pf for this or would it be done better in some other
> utility?

PF offers a very flexible mechanism for that, via state tracking options.
See eg http://home.nuug.no/~peter/pf/en/bruteforce.html for a walkthrough.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.