On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote:
> Expect I was not clear.
>
> Someone is attacking address 1, address 2, address 3, those
> address are all blocked with respect to ssh. , but because he
> is attacking those addresses, I want to stop an expected attack
> on address 4. I never want to pass ssh on address 1, address 2
> or address 3 ever, I want to use the information that someone
> was trying to ssh to those address to identify person as
> an attacker.
Oh, sorry for not reading exactly.
So your problem is that you want to get state for ssh connection
attempts to addresses 1, 2 and 3 but at the same time want to block
those connections. This isn't possible (no connection - no state).
(QUICK HACK ALERT)
But it may be possible to redirect those connections to some unused
port on localhost (i.e. the firewall) let something listen on this
port, accept everything but immediately closing the connection.
Then use a simple pass rule with overload and max-src-conn options
to add offending addresses to your table.
Ciao,
Kili
ps: I didn't test the above, so if it's complete nonsense, feel
free to flame me.
