Date: Fri, 5 May 2017 15:30:41 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Marco van Tol <marco@tols.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: equivalent for pf's max-src-conn-rate in ipfw Message-ID: <20170505150345.X34672@sola.nimnet.asn.au> In-Reply-To: <F6AA6A38-CA06-49E8-AD8D-F6D8E4C26523@tols.org> References: <F6AA6A38-CA06-49E8-AD8D-F6D8E4C26523@tols.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 4 May 2017 23:46:21 +0200, Marco van Tol wrote: > Possibly this questions pops up regularly. I have tried to find the > answer myself and have been unable to so far. > > My current way to drastically slow-down ssh brute force attacks is by > using the pf feature "max-src-conn-rate" with an argument of 5/60 > meaning only 5 syn packets are allowed per source IP to my ssh port > per minute. The rest get dropped. This works both for IPv4 and > IPv6. I typically don't login more then 5 times per minute to my > hosts. > > I have tried several ways to get the same behaviour using ipfw and > dummynet. But when combining the rules with keep-state I don't get > to the point where I get wire-speed ssh connections for those that > make it while keeping the number of new connections per source IP at > a very low number (a few per minute). > > Is there an equivalent in ipfw for the pf feature max-src-conn-rate? No, and dummynet won't help to accomplish connection rate limiting. I've used inetd(8) (aka TCPwrappers) for limiting both ftp and pop3 connections to good effect. Sendmail fortunately includes rate-limiting configuration internally. An example inetd.conf entry for pop3: pop3 stream tcp nowait/7/4 root /usr/local/libexec/qpopper qpopper -s -T 120 limiting connections to 7 concurrent, maximum 4 per minute. Logging as: May 26 23:58:42 sola inetd[3497]: pop3 from 58.185.139.68 exceeded counts/min (limit 4/min) May 27 00:00:24 sola inetd[3497]: pop3 from 58.185.139.68 exceeded counts/min (limit 4/min) May 27 00:01:57 sola inetd[3497]: pop3 from 58.185.139.68 exceeded counts/min (limit 4/min) I haven't used it with sshd myself; instead I use a table of permissable addresses, but that's no use if you need connections from random IPs. > Thank you very much in advance, please keep cc'ing me as I have not > subscribed to the ipfw list yet. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170505150345.X34672>