"Bharj, Gagan" <[EMAIL PROTECTED]> writes: > Our server is getting hammered on a daily basis by IPs trying to open an ssh > session. Currently, I'm manually putting the subnets (in a pf table) that are > repeatedly trying to get in. As you can see, this list will eventually get > very big and will be unmaintainable. Is there any way that I can say only > allow IP addresses from particular ISPs or domains?
You are really asking quite a few questions at the same time here. Yes, it's possible to write your ssh pass rule to allow only $goodguys (or <goodguys> for that matter) to pass. it is also possible to use max-src-conn, overload and friends to silence bruteforcers, and it is possible to use something like expiretable to weed out old entries in a table. My PF tutorial has examples at http://www.bgnett.no/~peter/pf/en/bruteforce.html -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
