From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 30 04:00:04 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D5D51065688 for ; Tue, 30 Sep 2008 04:00:04 +0000 (UTC) (envelope-from rhavenn@rhavenn.net) Received: from smtp145.sat.emailsrvr.com (smtp145.sat.emailsrvr.com [66.216.121.145]) by mx1.freebsd.org (Postfix) with ESMTP id E87248FC08 for ; Tue, 30 Sep 2008 04:00:03 +0000 (UTC) (envelope-from rhavenn@rhavenn.net) Received: from relay4.relay.sat.mlsrvr.com (localhost [127.0.0.1]) by relay4.relay.sat.mlsrvr.com (SMTP Server) with ESMTP id 2DC0B27926D; Mon, 29 Sep 2008 23:39:47 -0400 (EDT) Received: by relay4.relay.sat.mlsrvr.com (Authenticated sender: henrik-AT-ecwwebworks.com) with ESMTP id 0CD1C27B3AD; Mon, 29 Sep 2008 23:39:47 -0400 (EDT) From: Henrik Hudson To: freebsd-hackers@freebsd.org Date: Mon, 29 Sep 2008 19:39:41 -0800 User-Agent: KMail/1.9.7 References: <48E16E93.3090601@gmail.com> In-Reply-To: <48E16E93.3090601@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809291939.41533.rhavenn@rhavenn.net> X-Mailman-Approved-At: Tue, 30 Sep 2008 04:21:53 +0000 Cc: Rich Healey Subject: Re: SSH Brute Force attempts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: rhavenn@rhavenn.net List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 04:00:04 -0000 On Monday 29 September 2008, Rich Healey sent a missive stating: > Recently I'm getting a lot of brute force attempts on my server, in the > past I've used various tips and tricks with linux boxes but many of them > were fairly linux specific. > > What do you BSD guys use for this purpose? > > If this belongs on -security let me know and I'll ask over there. > > Cheers > > > Rich Yeap, -security However, also try this in pf.conf (specific rules related to this; you'll need more for a real pf.conf): table { } persist block in quick from pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state (max-src-conn 5, max-src-conn-rate 4/300, overload flush global) This will add "badguys" to the table if they connect more then 4 times in 300 seconds. Then use the expiretables port from a cronjob to remove IPs if you feel like it. Henrik -- Henrik Hudson rhavenn@rhavenn.net ------------------------------ "There are 10 kinds of people in the world: Those who understand binary and those who don't..."