On 04/05/18 23:16, Luke Small wrote:
Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better?
See this paper, that might contain what you're trying to achieve: https://www.sans.org/reading-room/whitepapers/firewalls/cleaning-yard-discussion-mothers-home-network-security-32933 At the end of a "pass" rule in pf.conf, the author adds: max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload <abusers> flush global which means: "any source can only have a total of three connections, and they may not create them at a rate faster than two every five minutes. If they do, they will be added to the abusers table and every packet/session will be globally dropped." I locked myself out of many boxes thanks to that. -- Étienne
