Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 5 May 2017 15:30:41 +1000 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Marco van Tol <marco@tols.org>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: equivalent for pf's max-src-conn-rate in ipfw
Message-ID:  <20170505150345.X34672@sola.nimnet.asn.au>
In-Reply-To: <F6AA6A38-CA06-49E8-AD8D-F6D8E4C26523@tols.org>
References:  <F6AA6A38-CA06-49E8-AD8D-F6D8E4C26523@tols.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 4 May 2017 23:46:21 +0200, Marco van Tol wrote:

 > Possibly this questions pops up regularly.  I have tried to find the 
 > answer myself and have been unable to so far.
 > 
 > My current way to drastically slow-down ssh brute force attacks is by 
 > using the pf feature "max-src-conn-rate" with an argument of 5/60 
 > meaning only 5 syn packets are allowed per source IP to my ssh port 
 > per minute.  The rest get dropped.  This works both for IPv4 and 
 > IPv6.  I typically don't login more then 5 times per minute to my 
 > hosts.
 > 
 > I have tried several ways to get the same behaviour using ipfw and 
 > dummynet.  But when combining the rules with keep-state I don't get 
 > to the point where I get wire-speed ssh connections for those that 
 > make it while keeping the number of new connections per source IP at 
 > a very low number (a few per minute).
 > 
 > Is there an equivalent in ipfw for the pf feature max-src-conn-rate?

No, and dummynet won't help to accomplish connection rate limiting.

I've used inetd(8) (aka TCPwrappers) for limiting both ftp and pop3 
connections to good effect.  Sendmail fortunately includes rate-limiting 
configuration internally.  An example inetd.conf entry for pop3:

pop3    stream  tcp     nowait/7/4 root /usr/local/libexec/qpopper   qpopper -s -T 120

limiting connections to 7 concurrent, maximum 4 per minute.  Logging as:

May 26 23:58:42 sola inetd[3497]: pop3 from 58.185.139.68 exceeded counts/min (limit 4/min)
May 27 00:00:24 sola inetd[3497]: pop3 from 58.185.139.68 exceeded counts/min (limit 4/min)
May 27 00:01:57 sola inetd[3497]: pop3 from 58.185.139.68 exceeded counts/min (limit 4/min)

I haven't used it with sshd myself; instead I use a table of permissable 
addresses, but that's no use if you need connections from random IPs.

 > Thank you very much in advance, please keep cc'ing me as I have not 
 > subscribed to the ipfw list yet.

cheers, Ian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170505150345.X34672>