On 2008/01/11 11:07, Jason McIntyre wrote: > On Fri, Jan 11, 2008 at 10:51:41AM +0000, Stuart Henderson wrote: > > On 2008/01/11 12:33, Lars Noodin wrote: > > > > > > I suppose another option is to use pf to filter out all incoming traffic > > > to the servers originating from Windows computers > > > > you can take a look for yourself with tcpdump -O, but I think you'll > > find the ssh scans are more likely to be from some variety of unix. > > > > an inclusive match is usually better e.g. > > pass proto tcp from any os "OpenBSD" to port ssh > > that could be less useful if you have ipv6 connections in, no? since > pf.os(5) claims only to be able to fingerprint hosts "that originate an > IPv4 TCP connection".
I didn't notice that about pf.os before but it's not a big surprise. random address space scans are a bit less of a problem in ipv6 though so "pass in inet6 proto tcp to port ssh" might be acceptable. > but maybe the ssh client will fall back to using ipv4 if it meets that. > i am unsure. it should do; if packets are dropped on the floor i.e. "block drop" it will take some time to notice (like connecting to undeadly from v6 until occaid's sixxs tunnels are back up ;-) if it's "block return" it should be fast.
