Quote:
Originally Posted by e1-531g
But how pf would differentiate between unsuccessful login attempt or successful login attempt?
I know pf can be used against port scanning and some resource exhausting behaviors of malicious bots, but does it know whether login was successful?
|
Depending on the posters intention (which i am not exactly clear on)
He can use the "log" syntax in Pf which will create a log for any
blocked/dropped/passed packet he chooses. Packet filtering would pre-emt
any SSH login attempt based on his filter rules.
Also, the "table" syntax can be used to quickly determine sources to
be accepted or rejected in route to an SSH port.
One can filter users in SSH but if I remember correctly OpenBSD recommends performing
filtering in Pf. Also, OpenBSD points to using "table" as the fastest method of looking up those
sources that one wishes to filter if that number is significant.
The user can then audit Pf logs/failed login attemps or some other means of audit such as a
script of some sort possibly using CRON.
One could also use host (allow deny) but again OpenBSD recommends using Pf as its perferred
method.
I apologize if I am not understanding the posters intent, but if I want to filter almost anything
it would start with Pf, logs, and system logs.