-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 With OpenBSD 3.7 I can finally easily detect and block those annoying ssh scanning zombies with the following pf rule:
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA keep state (max-src-conn-rate 5/60, \ overload <zombies> flush global) then I can block all IPs in the <zombies> table (I automatically phase IPs out of the table after a couple days in daily.local). This is all fine and good for my server, but I'd rather tarpit the suckers instead of blocking them outright after 5 connections. It would be easy to rdr them to a tarpit process, but I haven't seen any tarpits on the web that simulate ssh servers. I think ideally there could be a public honeypot server somewhere I could redirect them to, where their IPs and activity could be centrally logged and email could be automatically sent to the abuse@ address in the whois(1) entry. I'm doing this manually for the ~2 zombies daily I discover, but it's a bit tedious. So what's the best solution here? Is there a better way than hacking the sshd source to unconditionally sleep for 20s and return failure? - --myk Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCnpuXBOPsJyAQkeARAkEeAKDEJBfnnr/3DjCYo0SF5wdWW2430wCghEk+ xL7LiYzbnbr5xqkIK5+bCy8= =3rIG -----END PGP SIGNATURE-----
