On Mon, Jun 28, 2021 at 06:38:21PM +0200, Matthieu Herrb wrote: > I have rules like this one on the firewalls I manage: > > pass in on $in_if proto tcp from any to <sshservers> port ssh \ > flags S/SA keep state \ > (source-track rule, max-src-states 30, max-src-conn 20, \ > max-src-conn-rate 15/30, overload <ssh-bruteforce> flush > global) > > block log from <ssh-bruteforce> > > However some legitimate remote users get their addresses added to the > ssh-bruteforce table from time to time. > > I'd like to be able to figure out the reason (ie which condtion > triggers the overload). Is there a way to have it logged somewhere > that I'm missing ?
`set debug notice' should syslog(3) addresses being overloaded in the first place, but I'm fairly certain there is currently no way to get more than that.
