On Wed, September 28, 2016 1:20 pm, Chris Bennett wrote: > > Right now I am using a simple script from the error log to block > permanently any requests from that IP using OpenBSD pf. > > That simply doesn't work well enough anymore due to the time lag between > 20+ requests at once getting to the log file.
I use a combination of overload in pf with a bruteforce table and log parsing. I don't currently do the log parsing in real time. You could use your own script or something like fail2ban for that. The combination will quickly lock out rapid connection attempts, while eventually also getting the slow pokes. > Plus, I > occasionally screw up and block my own IP address so I keep an SSH > session open before experimenting. > Create a "safe" table in pf and put your often used IPs in it (assuming they are static enough for this) and match that before you check the bruteforce table. Also, your rules and tables for ssh can be different than that of the web server. No reason for accidentally going to a bad URL to lock you out of ssh. Tim.
