Date: Thu, 15 Oct 2009 20:54:21 -0700 (PDT) From: Aflatoon Aflatooni <aaflatooni@yahoo.com> To: freebsd-questions@freebsd.org Subject: Re: Security blocking question Message-ID: <628151.64600.qm@web56204.mail.re3.yahoo.com> In-Reply-To: <4ACFB17A.1080400@infracaninophile.co.uk> References: <526808.11391.qm@web56207.mail.re3.yahoo.com> <4ACFB17A.1080400@infracaninophile.co.uk>
index | next in thread | previous in thread | raw e-mail
> >
> > Is there a way that I could configure the server so that if there are for
> example X attempts from an IP address then for the next Y hours all the SSH
> requests would be ignored from that IP address? There are only a handful of
> people who have access to that server.
>
> Yes.
>
> In pf.conf:
>
> table persist
>
> [...]
>
> block drop in log quick on $ext_if from
>
> [...]
>
> pass in on $ext_if proto tcp \
> from any to $ext_if port ssh \
> flags S/SA keep state \
> (max-src-conn-rate 3/30, overload flush global)
>
> plus you'll need to add a cron job to clear old entries out of the
> ssh-bruteforce
> table after a suitable amount of time has passed. Use expiretable to do
> that. Note: in practice I've found that it's a *really good idea* to implement
> a SSH whitelist of addresses that will never be bruteforce blocked like this --
> it's very easy to lock yourself out even if everything you're doing is entirely
> legitimate. Coding that is left as an exercise for the reader.
>
What is the best way of testing the PF rule? Is there a quick way to mimic a brute force?
Is there a way that I could review the content of the table through pfctl -s all
Thanks
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?628151.64600.qm>