Date: Tue, 30 Sep 2008 16:07:23 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-hackers@freebsd.org, roberto@keltia.freenix.fr Subject: Re: SSH Brute Force attempts Message-ID: <48E240AB.9040802@infracaninophile.co.uk> In-Reply-To: <200809301401.m8UE1QDm039930@lurza.secnetix.de> References: <200809301401.m8UE1QDm039930@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Oliver Fromme wrote: | Ollivier Robert <> wrote: | > According to Henrik Hudson: | > > Yeap, -security | > > | > > However, also try this in pf.conf (specific rules related to this; you'll need | > > more for a real pf.conf): | > > | > > table <badguys> { } persist | > > block in quick from <badguys> | > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state | > > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global) | > | > That one is very effective. | | It's especially effective to enable to DoS you. | An attacker simply has to spoof the source address | on SYN packets, which is trivial. :-( Adding a whitelist of ssh addresses that should never be blocked is equally trivial.... But, like the perl folk say: TIMTOWTDI. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 ~ 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate ~ Kent, CT11 9PW, UK -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAkjiQKsACgkQ3jDkPpsZ+VbzsgCfY64vNfuMhRrGRYgK4rDawWq4 xDwAnRMXY54hiooKCFBp7U/SxILUsxsa =yQm5 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48E240AB.9040802>