On 2007/08/09 12:22, Joachim Schipper wrote: > > > > > > # Define some variable for clarity > > > SSH_LIMIT="(max-src-conn-rate 3/30, overload <scanners> flush global)" > > > > > > # Allow quick valid traffic to ssh but log all attempts as well > > > pass in log quick on $ext_if inet proto tcp from ! <scanners> \ > > > to $ext_if port ssh flags S/SA keep state \ > > > $SSH_LIMIT > > > > I've added something like this to pf.conf but it's only partially > > successful. I would appreciate any clues as to why it's not blocking all > > brute-force attempts. > > You would probably be better served by a clue about why this is a > terribly bad idea, but you'll most likely have heard all the arguments > already. Or maybe not - 'flush' enables an attacker to not only prevent > you connecting, but actually to log you out as well.
This still needs a 3-way handshake to be completed, it's not so easy to blindly spoof. Main problem is if the attacker comes from the same IP address as a legitimate user (NAT etc). > Plus, SSH scans are about as dangerous as some skiddie scanning for old > versions of PHPMyAdmin, and we don't take steps to prevent the latter > either. Depends how much CPU is spent handling the connections. > Finally, Subversion over SSH uses lots of connections, should you ever > want to use that. connection multiplexing can be useful for this sort of thing.
