From owner-freebsd-pf@FreeBSD.ORG  Mon May 26 01:46:27 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5DF8C1065681
	for <freebsd-pf@freebsd.org>; Mon, 26 May 2008 01:46:27 +0000 (UTC)
	(envelope-from comp.john@googlemail.com)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28])
	by mx1.freebsd.org (Postfix) with ESMTP id 0ABBB8FC26
	for <freebsd-pf@freebsd.org>; Mon, 26 May 2008 01:46:26 +0000 (UTC)
	(envelope-from comp.john@googlemail.com)
Received: by yw-out-2324.google.com with SMTP id 9so1093554ywe.13
	for <freebsd-pf@freebsd.org>; Sun, 25 May 2008 18:46:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	bh=fIycmIno7fmmqUeBfGRVmOGD1jRHXjeWeueDHo4b0s4=;
	b=F3xbOf2+G5Kvy3Rl5RLTHKxli9pvM2H6Jr+OvjIe7aOVtkXrxkjetZchO8VuvDb29FcWr68VEH9GJdN5q2arFXWDGG4/lhjyoH49YsydbdRuo4BKiUMF4kTNNa51gfGo/1/7sr2UgUMFWuBhroZUalfkgecUSQvxRIQ/cslL/dY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma;
	h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=npHh2xX4vVgv21tnF0ckcadWxsiJtg1+mUqi1KFucyJPIrggQoqYV/4fEKKvyGy39Cv2iYXmSkN6pMcuuHVedT5w5gte4uBh50RUHK03yp74sD9c0HzHk4tly4Yj7GyOsj14U57mSllP/SxUOXDG2kAhr43TV5tqxEbI6aeilJs=
Received: by 10.150.68.41 with SMTP id q41mr1788016yba.102.1211764845120;
	Sun, 25 May 2008 18:20:45 -0700 (PDT)
Received: by 10.150.97.21 with HTTP; Sun, 25 May 2008 18:20:45 -0700 (PDT)
Message-ID: <abc784790805251820x62a763aem67d262b1a103f41c@mail.gmail.com>
Date: Mon, 26 May 2008 02:20:45 +0100
From: "John ." <comp.john@googlemail.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: auto-blackholing/blacklisting on multiple hacking attempts
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 May 2008 01:46:27 -0000

Hi,

I'm running freebsd 7-RELEASE

I see this, for example, in my auth log:

May 15 02:00:39 www sshd[9180]: Invalid user web from 201.18.232.30
May 15 02:00:41 www sshd[9182]: Invalid user web from 201.18.232.30
May 15 02:00:43 www sshd[9184]: Invalid user web from 201.18.232.30
May 15 02:00:45 www sshd[9186]: Invalid user web from 201.18.232.30
May 15 02:00:48 www sshd[9188]: Invalid user web from 201.18.232.30
May 15 02:00:50 www sshd[9190]: Invalid user web from 201.18.232.30
May 15 02:00:52 www sshd[9192]: Invalid user web from 201.18.232.30
May 15 02:00:54 www sshd[9194]: Invalid user web from 201.18.232.30
May 15 02:00:56 www sshd[9196]: Invalid user web from 201.18.232.30
May 15 02:00:58 www sshd[9198]: Invalid user web from 201.18.232.30
May 15 02:01:00 www sshd[9200]: Invalid user web from 201.18.232.30
May 15 02:01:02 www sshd[9205]: Invalid user web from 201.18.232.30
May 15 02:01:04 www sshd[9207]: Invalid user account from 201.18.232.30
May 15 02:01:06 www sshd[9209]: Invalid user account from 201.18.232.30
May 15 02:01:08 www sshd[9211]: Invalid user account from 201.18.232.30
May 15 02:01:10 www sshd[9213]: Invalid user account from 201.18.232.30
May 15 02:01:12 www sshd[9218]: Invalid user account from 201.18.232.30
May 15 02:01:14 www sshd[9220]: Invalid user account from 201.18.232.30
May 15 02:01:39 www sshd[9244]: Invalid user apache from 201.18.232.30
May 15 02:01:41 www sshd[9246]: Invalid user apache from 201.18.232.30
May 15 02:01:43 www sshd[9248]: Invalid user apache from 201.18.232.30
May 15 02:01:45 www sshd[9250]: Invalid user apache from 201.18.232.30
May 15 02:01:47 www sshd[9252]: Invalid user apache from 201.18.232.30

I'd like it to be so that if an IP tries to connect to sshd more than
once in a 30 second period, that they are immediately blackholed.
Should I be using pf for this or would it be done better in some other
utility?

cheers

-- 
John