Non-Linux SSH scan

Oct 25, 2004

Nine days ago I added this rule to the /etc/pf.conf on my gateway:

# Don't allow Linux hosts to connect to the sshd.
block drop in log on $ext_if proto { tcp, udp } \
    from any os Linux to any port ssh

It worked like a charm until today where I got the first scan, so apparently not all the scanners are Linux as earlier evidence suggested. Bugger!

I still have the “block scanners” code in place in /etc/daily.local, but it does not seem to make a difference, just as expected.

Last edited: May 1, 2016