Hi all! I'm curious what y'all think of this situation.
I have SSH open as an exit port on a TOR exit that my friends and I are maintaining - and of course it's the #1 offender by far in automated abuse notifications we get from our ISP, from peoples' fail2ban servers sending abuse emails. This all seems like a huge waste of time, but that's a separate issue.
I'm wondering if nerfing outbound SSH to rate limit will be effective at getting the SSH scanning bots to stop using my exit in their circuit, while leaving SSH open for actual humans who need to SSH while using TOR.
I've implemented, as a test, rate limiting outbound on the SSH port. What do you think the impact of this will be? No impact? Losing exit status because connections on SSH die? Something else entirely?
Here's the pf rules in question:
pass in on $ext_if proto {tcp udp} from any to any port 9000:9150 keep state
pass in on $ext_if proto tcp from any to any port 22 keep state
pass in on $ext_if proto tcp from any to any port 80 keep state
pass out on $ext_if from any to any keep state
pass out on $ext_if proto tcp from any to any port 22 keep state (max-src-conn 25, max-src-conn-rate 1/5 )