From owner-freebsd-questions@FreeBSD.ORG Fri Oct 16 03:54:22 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB2521065679 for ; Fri, 16 Oct 2009 03:54:22 +0000 (UTC) (envelope-from aaflatooni@yahoo.com) Received: from web56204.mail.re3.yahoo.com (web56204.mail.re3.yahoo.com [216.252.110.213]) by mx1.freebsd.org (Postfix) with SMTP id 6B2F78FC1E for ; Fri, 16 Oct 2009 03:54:22 +0000 (UTC) Received: (qmail 64978 invoked by uid 60001); 16 Oct 2009 03:54:21 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1255665261; bh=OxPO0msgsr8wE7v/G2Tfz8A2gqE4jSse3jI+pOgFoCI=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Zax6W1qCgFW6AuaUubenypjaqmQon2j321dDHOq8BGXff34Gi5PX7W2sRvX6vRktib7k2+N4/LFlwyMDvxgEL6sDQCkBRKMAqehi7iunSnqCA/nNZdvzjGALuxaPh799naPLT+yqEzI9zgvVcmytZmRI4A+YemK4NmII5KWHgmo= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=jopdzuphbkUM+FbiR2yLNZMaa8cCTB42g1vV/RUCw6j/mnTa7dwFhoomMQ27LElnef97bO6kVkaviBScm72mYFKAl3tSkNTROMUPALRq/ZqDiy5/mAJ702KzbyMI8JsFtM4QVdyL8i5p7BLTjlQTjFuOsQhiK319lMAnHs0ps7s=; Message-ID: <628151.64600.qm@web56204.mail.re3.yahoo.com> X-YMail-OSG: 3u3FUXcVM1mnPx.wCgSz6xJgDGf9uyDhD3.2CX6gVx2l7cUM680xlAUPcbQITpLvxao.Ds9HvwDXDcSiBITybLl2wrLzMpdqXRHkBaVorSgxdkpO9gobBiCM4e71FWGxS6j82__dsA.A.WPacIhFVvHfNLm2Ju6qRdxFsoULzwt0aJn4WriYgLnBCMKvHnIR3NZpArVvLmd2XOT2jPlWCBzpQGUISCJfO6lz4CmqP6iVHG3_boru6hYeoZlbnjNFn_6zG0QBEhkdTmj_gvdR8nSdM_y1hIfoHsWfCj62fccW6l9l2QLz4uJQIH3GV_X7qmKDXDQArfcVcoEX7jHEadzODtW7BuNo1E3ZhDi8jhJp4WhmcQz_XaVJ Received: from [67.204.12.34] by web56204.mail.re3.yahoo.com via HTTP; Thu, 15 Oct 2009 20:54:21 PDT X-Mailer: YahooMailRC/182.10 YahooMailWebService/0.7.361.3 References: <526808.11391.qm@web56207.mail.re3.yahoo.com> <4ACFB17A.1080400@infracaninophile.co.uk> Date: Thu, 15 Oct 2009 20:54:21 -0700 (PDT) From: Aflatoon Aflatooni To: freebsd-questions@freebsd.org In-Reply-To: <4ACFB17A.1080400@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Security blocking question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Oct 2009 03:54:22 -0000 > > =0A> > Is there a way that I could configure the server so that if ther= e are for =0A> example X attempts from an IP address then for the next Y ho= urs all the SSH =0A> requests would be ignored from that IP address? There = are only a handful of =0A> people who have access to that server.=0A> =0A> = Yes.=0A> =0A> In pf.conf:=0A> =0A> table persist=0A> =0A> [...]=0A> =0A> bl= ock drop in log quick on $ext_if from =0A> =0A> [...]=0A> =0A> pass in on $= ext_if proto tcp=A0 =A0 =A0 \=0A> =A0 =A0 from any to $ext_if port ssh \=0A= > =A0 =A0 flags S/SA keep state=A0 =A0 =A0 =A0 \=0A> =A0 =A0 (max-src-conn-= rate 3/30, overload flush global)=0A> =0A> plus you'll need to add a cron j= ob to clear old entries out of the =0A> ssh-bruteforce=0A> table after a su= itable amount of time has passed.=A0 Use expiretable to do=0A> that.=A0 Not= e: in practice I've found that it's a *really good idea* to implement =0A> = a SSH whitelist of addresses that will never be bruteforce blocked like thi= s -- =0A> it's very easy to lock yourself out even if everything you're doi= ng is entirely =0A> legitimate.=A0 Coding that is left as an exercise for t= he reader.=0A> =0A=0AWhat is the best way of testing the PF rule?=A0Is ther= e a quick way to mimic a brute=A0force?=A0=0AIs there a way that I could re= view the content of the table through pfctl -s all=0A=0AThanks=0A=0A=0A =