[nycbug-talk] another thread: sshd zombie attacks

[Matt Juszczak]

> If you must have a box with sshd(8) widely open, then I would consider
> running at least pf(4) on it.  It has some nice features to stop these
> kind of attacks.

Right. Exactly what I'm doing:


---/etc/pf.conf---

if = "em0"
pass all
table <bruteforce> persist
block drop in  quick on $if from <bruteforce> to any
pass in quick on $if inet proto tcp from any to $if port 22 flags S/SA 
keep state (max-src-conn 50, max-src-conn-rate 3/30, overload <bruteforce> 
flush global)

---end---