Why? You say that you block SSH on 1,2,3 and then that you want to do something MORE on 4? You probably already have 'block all' and then allow ssh on one of your boxes, thats it.
Maybe you want an IDS system or a SSH tarpit, but this is not the job for pf. Tobias Ulmer made some good points in his mail, including 'this is stupid'. Cheers, /jkm * Peter Fraser ([EMAIL PROTECTED]) wrote: > Expect I was not clear. > > Someone is attacking address 1, address 2, address 3, those > address are all blocked with respect to ssh. , but because he > is attacking those addresses, I want to stop an expected attack > on address 4. I never want to pass ssh on address 1, address 2 > or address 3 ever, I want to use the information that someone > was trying to ssh to those address to identify person as > an attacker. > > > -----Original Message----- > From: Matthias Kilian [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 31, 2006 3:02 PM > To: Peter Fraser > Cc: [email protected] > Subject: Re: "ssh" attacks > > On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: > > block in on Outsize proto tcp port ssh flags S/SA > > state (max-src-conn-rate 100/10, overload <bad_hosts> flush global) > > > > This does not work. One gets a message that keeping state on > > a blocked run makes no sense. > > See the example on overload at > http://www.openbsd.org/faq/pf/filter.html#stateopts > > Basically, you pass and just block verything from <bad_hosts> in a > separate rule. > > Ciao, > Kili
