Date: Thu, 15 Oct 2009 20:54:21 -0700 (PDT) From: Aflatoon Aflatooni <aaflatooni@yahoo.com> To: freebsd-questions@freebsd.org Subject: Re: Security blocking question Message-ID: <628151.64600.qm@web56204.mail.re3.yahoo.com> In-Reply-To: <4ACFB17A.1080400@infracaninophile.co.uk> References: <526808.11391.qm@web56207.mail.re3.yahoo.com> <4ACFB17A.1080400@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> > =0A> > Is there a way that I could configure the server so that if ther= e are for =0A> example X attempts from an IP address then for the next Y ho= urs all the SSH =0A> requests would be ignored from that IP address? There = are only a handful of =0A> people who have access to that server.=0A> =0A> = Yes.=0A> =0A> In pf.conf:=0A> =0A> table persist=0A> =0A> [...]=0A> =0A> bl= ock drop in log quick on $ext_if from =0A> =0A> [...]=0A> =0A> pass in on $= ext_if proto tcp=A0 =A0 =A0 \=0A> =A0 =A0 from any to $ext_if port ssh \=0A= > =A0 =A0 flags S/SA keep state=A0 =A0 =A0 =A0 \=0A> =A0 =A0 (max-src-conn-= rate 3/30, overload flush global)=0A> =0A> plus you'll need to add a cron j= ob to clear old entries out of the =0A> ssh-bruteforce=0A> table after a su= itable amount of time has passed.=A0 Use expiretable to do=0A> that.=A0 Not= e: in practice I've found that it's a *really good idea* to implement =0A> = a SSH whitelist of addresses that will never be bruteforce blocked like thi= s -- =0A> it's very easy to lock yourself out even if everything you're doi= ng is entirely =0A> legitimate.=A0 Coding that is left as an exercise for t= he reader.=0A> =0A=0AWhat is the best way of testing the PF rule?=A0Is ther= e a quick way to mimic a brute=A0force?=A0=0AIs there a way that I could re= view the content of the table through pfctl -s all=0A=0AThanks=0A=0A=0A =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?628151.64600.qm>