What you could also do is install swatch from ports or packages and have
a table in your pf.conf like this:
table <sshdtrolls> persist
and a rule
#stop ssh trolls
block in log quick on $EXT_IF inet proto {tcp,udp} from <sshdtrolls> to
$EXT_IF port ssh label "SSHDTrolls"
A swatchrc file of:
watchfor /Failed password for invalid user/
exec /sbin/pfctl -t sshdtrolls -T add $13
[EMAIL PROTECTED], --subject=woo. we have a troll
throttle 02:00
exec echo $13 >> /root/swatchlog
Then run swatch with:
/usr/local/bin/swatch -c /root/swatchrc -t /var/log/authlog &
(Note file locations and settings might need to be changed depending on
your config)
I also have the AllowUsers and use PubKeyAuthentication and
PasswordAuthentication No settings enabled in sshd_config. This means
that for a normal login the error "Failed password for invalid user"
won't come up as it'll never get that far as it's expecting a key.
If a troll tries to log in, they get one chance before the swatch picks
it up and adds it to the block table.
