From owner-freebsd-questions@FreeBSD.ORG Wed Sep 20 06:01:02 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACD1F16A403 for ; Wed, 20 Sep 2006 06:01:02 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05A1343D46 for ; Wed, 20 Sep 2006 06:01:01 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id k8K60WlU087802; Wed, 20 Sep 2006 07:00:32 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk from=m.seaman@infracaninophile.co.uk; sender-id=softfail; spf=softfail X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk k8K60WlU087802 Message-ID: <4510D8F9.6050504@infracaninophile.co.uk> Date: Wed, 20 Sep 2006 07:00:25 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.7 (X11/20060915) MIME-Version: 1.0 To: "Peter N. M. Hansteen" References: <20060919165400.A4380@prime.gushi.org> <878xkff5vc.fsf@amidala.kakemonster.bsdly.net> In-Reply-To: <878xkff5vc.fsf@amidala.kakemonster.bsdly.net> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigD417007199443C5EFD3C6637" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (smtp.infracaninophile.co.uk [IPv6:::1]); Wed, 20 Sep 2006 07:00:52 +0100 (BST) X-Virus-Scanned: ClamAV 0.88.4/1909/Wed Sep 20 03:58:44 2006 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00, DKIM_POLICY_TESTING,NO_RELAYS autolearn=ham version=3.1.5 X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: sshd brute force attempts? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 06:01:02 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD417007199443C5EFD3C6637 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Peter N. M. Hansteen wrote: > "Dan Mahoney, System Admin" writes: >=20 >> I've found a few things based on openBSD's pf, but that doesn't seem t= o be=20 >> the default in BSD either. >=20 > Recent BSDs (all of them, FreeBSD 5.n/6.n included) have PF in the base= system. > 'overload' rules are fairly easy to set up, eg=20 >=20 > table persist >=20 > #Then somewhere fairly early in your rule set you set up to block from = the bruteforcers >=20 > block quick from >=20 > #And finally, your pass rule. >=20 > pass inet proto tcp from any to $localnet port $tcp_services \ > flags S/SA keep state \ > (max-src-conn 100, max-src-conn-rate 15/5, \ > overload flush global) >=20 > for more detailed discussion see eg http://www.bgnett.no/~peter/pf/en/b= ruteforce.html The really nice thing about this pf based technique is that it does not need to scan log files (like most of the other brute force blockers). So you can use it on a gateway firewall to protect a whole network of machines behind it. Although in that case having a whitelist of IPs that are always allowed to connect would be sensible. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigD417007199443C5EFD3C6637 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFENj/8Mjk52CukIwRCEqyAJwMG6sYhobjtzoD1xZ/atmNyCP/vQCeKyTA SYPKr9Ugf/8BUBShaCwJe6E= =RMNN -----END PGP SIGNATURE----- --------------enigD417007199443C5EFD3C6637--