Date: Tue, 30 Sep 2008 16:07:23 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-hackers@freebsd.org, roberto@keltia.freenix.fr Subject: Re: SSH Brute Force attempts Message-ID: <48E240AB.9040802@infracaninophile.co.uk> In-Reply-To: <200809301401.m8UE1QDm039930@lurza.secnetix.de> References: <200809301401.m8UE1QDm039930@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Oliver Fromme wrote:
| Ollivier Robert <> wrote:
| > According to Henrik Hudson:
| > > Yeap, -security
| > >
| > > However, also try this in pf.conf (specific rules related to this; you'll need
| > > more for a real pf.conf):
| > >
| > > table <badguys> { } persist
| > > block in quick from <badguys>
| > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state
| > > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
| >
| > That one is very effective.
|
| It's especially effective to enable to DoS you.
| An attacker simply has to spoof the source address
| on SYN packets, which is trivial. :-(
Adding a whitelist of ssh addresses that should never be blocked is equally
trivial....
But, like the perl folk say: TIMTOWTDI.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. Flat 3
~ 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
~ Kent, CT11 9PW, UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREDAAYFAkjiQKsACgkQ3jDkPpsZ+VbzsgCfY64vNfuMhRrGRYgK4rDawWq4
xDwAnRMXY54hiooKCFBp7U/SxILUsxsa
=yQm5
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48E240AB.9040802>