From owner-freebsd-questions@FreeBSD.ORG Tue Sep 19 22:03:27 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0515716A47B for ; Tue, 19 Sep 2006 22:03:27 +0000 (UTC) (envelope-from reko.turja@liukuma.net) Received: from mxfep02.bredband.com (mxfep02.bredband.com [195.54.107.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 815FE43D8C for ; Tue, 19 Sep 2006 22:03:14 +0000 (GMT) (envelope-from reko.turja@liukuma.net) Received: from moria.endor.swagman.org ([213.113.4.184] [213.113.4.184]) by mxfep02.bredband.com with ESMTP id <20060919220313.UKPB21247.mxfep02.bredband.com@moria.endor.swagman.org> for ; Wed, 20 Sep 2006 00:03:13 +0200 Received: from rivendell (rivendell.endor.swagman.org [192.168.10.10]) by moria.endor.swagman.org (Postfix) with SMTP id 4FD12C for ; Wed, 20 Sep 2006 01:02:57 +0300 (EEST) Message-ID: <011601c6dc37$70374460$0a0aa8c0@rivendell> From: "Reko Turja" To: References: <20060919165400.A4380@prime.gushi.org><70e8236f0609191412p5779d94cqa16df5631f4de916@mail.gmail.com> <4464fjd009.fsf@be-well.ilk.org> Date: Wed, 20 Sep 2006 01:03:28 +0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Cc: Subject: Re: sshd brute force attempts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2006 22:03:27 -0000 >>> I've looked around and found several linux-centric things designed >>> to >>> block brute-force SSH attempts. Anyone out there know of >>> something a bit >>> more BSD savvy? >>> I've found a few things based on openBSD's pf, but that doesn't >>> seem to be >>> the default in BSD either. >>> Any response appreciated. If using pf, you can write rules like (original is one line): pass in on $ext_if proto tcp from any to $ext_if port $tcp_login flags S/SA keep state (max-src-conn-rate 6/25, overload flush global) The rule follows traffic in ssh port (aliased $tcp_login in my config) and in this case if the connection attempts exceed 6 in 25 seconds, the offending IP is moved into "bad_hosts" table and ruleset is flushed to get the blocking effective. The conn attempt/time ratio can be about anything, I've found the one used good enough. Then in the top of ruleset I have the following (the filtering rule from above is further down): block in quick on $ext_if from The bad host table is initialised in my ruleset like this: table persist { } Just remeber to put it into right section of pf.conf. pf is neat, thanks for the dev effort of getting it into FreeBSD kernel! -Reko