From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 17:52:01 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9DBC7106564A for ; Fri, 5 Mar 2010 17:52:01 +0000 (UTC) (envelope-from idefix@fechner.net) Received: from anny.lostinspace.de (anny.lostinspace.de [IPv6:2a01:138:a006::2]) by mx1.freebsd.org (Postfix) with ESMTP id EC82A8FC1E for ; Fri, 5 Mar 2010 17:52:00 +0000 (UTC) Received: from server.idefix.lan (ppp-88-217-56-106.dynamic.mnet-online.de [88.217.56.106]) (authenticated bits=0) by anny.lostinspace.de (8.14.3/8.14.3) with ESMTP id o25HprqN068723 for ; Fri, 5 Mar 2010 18:51:57 +0100 (CET) (envelope-from idefix@fechner.net) Received: from server.idefix.lan (unknown [127.0.0.1]) by server.idefix.lan (Postfix) with ESMTP id 460CA1E5B for ; Fri, 5 Mar 2010 18:51:53 +0100 (CET) X-Virus-Scanned: amavisd-new at server.idefix.lan Received: from server.idefix.lan ([127.0.0.1]) by server.idefix.lan (server.idefix.lan [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OeoN1xEZMBBH for ; Fri, 5 Mar 2010 18:51:48 +0100 (CET) Received: from [IPv6:2001:a60:f035:1:74b0:e4f3:1e71:76ab] (unknown [IPv6:2001:a60:f035:1:74b0:e4f3:1e71:76ab]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by server.idefix.lan (Postfix) with ESMTPSA id 81EEB1E49 for ; Fri, 5 Mar 2010 18:51:48 +0100 (CET) Message-ID: <4B9144AE.8070909@fechner.net> Date: Fri, 05 Mar 2010 18:51:42 +0100 From: Matthias Fechner User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.1.8) Gecko/20100227 Lightning/1.0b1 Thunderbird/3.0.3 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <20100305154439.GA17456@elwood.starfire.mn.org> <4B912ADC.1040802@infracaninophile.co.uk> <4B91375A.4020503@fechner.net> <4B913983.30900@infracaninophile.co.uk> <20100305171003.GA18881@elwood.starfire.mn.org> In-Reply-To: <20100305171003.GA18881@elwood.starfire.mn.org> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (anny.lostinspace.de [80.190.182.2]); Fri, 05 Mar 2010 18:51:57 +0100 (CET) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,UNPARSEABLE_RELAY autolearn=ham version=3.3.0 X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on anny.lostinspace.de Subject: Re: Thousands of ssh probes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 17:52:01 -0000 Hi, Am 05.03.2010 18:10, schrieb John: > I have just switched to pf from ipfw, so I am still learning the > nuances and style points. I switched now to security/sshguard-pf. It works perfectly and blocks also via pf. Blocking is working there with: table persist block in log quick proto tcp from to any label "ssh bruteforce" probability 85% So I let 15% of the pakets through in the hope that will slow down this brute force attacks and I can protect in this step other hosts. Hopefully the attacker keeps then longer in my tarpit. Bye Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook