On 10/30/16 01:46, Nicolai wrote: > BTW, there are generally better options for handling bruteforce > traffic. What kind of bruteforce traffic are you trying to stop?
In the classic case of rapid-fire bruteforcers an adaptive, state tracking based approach such as [1] works quite well. However in addition you have a set of bruteforcers that come in at frequencies just low enough that it gets hard to auto-block them that way and not interfering with ordinary users's activity. Not necessarily "the Hail Mary Cloud", but rather a few very persistent but slow moving bots. If this is what the original poster is trying to address, blocking on an additional table sourced from a file might be useful. [1] https://home.nuug.no/~peter/pf/en/bruteforce.html -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
