Craig Skinner wrote: > Hello, > > Zombies are often attacking ports which don't have services running, > such as telnet (most popular indeed....), mysql, 3551, 8080, 13272, etc. > > With a default pf block drop in on $ext_if, how can those source ips be > added to a <scanners> table? Which all can be dropped & small queued. > > I've tried to overload a match statement, but that won't work. > > Or is there something handy in ports to help?
block log those ports, then process the log file? block quick from <badapples> block quick log in to port 8080 then you won't see them showing up in the log over and over.
