Date: Thu, 18 Sep 2008 07:52:06 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Nathan Lay <nslay@comcast.net> Cc: "Marc G. Fournier" <scrappy@hub.org>, freebsd-questions@freebsd.org Subject: Re: Auto blacklist ssh connections ... Message-ID: <48D1FA96.2080406@infracaninophile.co.uk> In-Reply-To: <48D1C3CA.30309@comcast.net> References: <14143EECEC1CC52A4BC39AC3@ganymede.hub.org> <48D1C3CA.30309@comcast.net>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Nathan Lay wrote: > I employed this solution: > http://johan.fredin.info/openbsd/block_ssh_bruteforce.html > > You have to enable pf, but man it works and it works well! Agreed. I use a slight modification of this configuration on a number of firewalls. As specified in the page referenced above, the rule set causes /any/ too-rapid spate of SSH connections to get you locked out, and that includes legitimate users too. Simple modification is to add a whitelist table for addresses that you never want to lock out: table <static-whitelist> const { \ 12.34.56.78 \ ... \ } persist table <ssh-bruteforce> persist [...] block drop in log quick on $ext_if from <ssh-bruteforce> [...] pass in on $ext_if proto tcp \ from !<static-whitelist> to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) pass in on $ext_if proto tcp \ from <static-whitelist> to $ext_if port ssh \ flags S/SA keep state Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkjR+qMACgkQ8Mjk52CukIySMwCggOBspALMFCTH/81hWDQZ88+S M3wAn2jvb3+AIlNCPyoOsKVkwrJQrobS =ClgD -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D1FA96.2080406>