Most people with a box on public IP, and with a sshd listening on port 22, notices a lot of bruteforce attempts. These attempts are filling up logs, and are a pure annoyance. Here's how I "solved" it..
In OpenBSD 3.7, pf got a really nice feature called max-src-conn-rate, which specifies how quickly new connections can be made. Connecting hosts exceeding this limit can be put into a table, and all states including that hosts IP address, can also be flushed.
When I have the offending IPs in a table, it can easily be blocked early on in our ruleset. But since I don't want to block a host forever, or even until the next reboot, I'm gonna use a small utility to clean out this table once in a while.
Let's start with the magic pf rule:
- # special rule for ssh
- pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
- flags S/SA keep state \
- (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
To keep the bad boys out, I add a block rule early on in my ruleset:
# block the ssh bruteforce bastards
- block drop in quick on $ext_if from <ssh-bruteforce>
It's in ports (sysutils/expiretable), but was commited after 3.8 was tagged, so you'll have to go -current, or compile/install it by hand. Then add this to roots crontab:
- */5 * * * * /usr/local/sbin/expiretable -t 3600 ssh-bruteforce
This is how I get rid of thousands of login attempts filling my logs.
http://johan.fredin.info/openbsd/block_ssh_bruteforce.html