Date: Thu, 10 Feb 2011 15:09:22 +0100 From: Damien Fleuriot <ml@my.gd> To: Vadym Chepkov <vchepkov@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks Message-ID: <4D53F192.2070004@my.gd> In-Reply-To: <A52E3BB1-E89C-472E-8200-07DFA9E2DE53@gmail.com> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <4D51A061.20704@sentex.net> <FFC11535-7638-4FE7-84EC-EED8D9A443BA@gmail.com> <4D5265AF.4060600@my.gd> <A52E3BB1-E89C-472E-8200-07DFA9E2DE53@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/9/11 10:00 PM, Vadym Chepkov wrote: > > > On Feb 9, 2011, at 5:00 AM, Damien Fleuriot wrote: > >> Looks like my previous message didn't make it to the list. >> >> >> @OP: nothing indicates that your table is getting populated correctly. >> >> While this doesn't address your main issue, you may want to install >> sshguard which will automatically blacklist attackers and populate a >> dedicated table. >> > > > Thanks for the suggestion, but as you said, it's a workaround. > I'd rather try to understand why something that suppose to work, does not. > Because this is something I have visibility to. What if something else doesn't work as expected and I blindly trust it? > > Vadym > >From one of your other messages in the thread, you seem to be afraid of lowering the PF limits too much that it would blacklist you too. With sshguard you could whitelist your own IPs, while configuring it to blacklist people after 5 failed attempts in a minute for example. That would achieve what you want to do here with the overload directive.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D53F192.2070004>