Date: Wed, 20 Sep 2006 01:03:28 +0300 From: "Reko Turja" <reko.turja@liukuma.net> To: <questions@freebsd.org> Subject: Re: sshd brute force attempts? Message-ID: <011601c6dc37$70374460$0a0aa8c0@rivendell> References: <20060919165400.A4380@prime.gushi.org><70e8236f0609191412p5779d94cqa16df5631f4de916@mail.gmail.com> <4464fjd009.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> I've looked around and found several linux-centric things designed
>>> to
>>> block brute-force SSH attempts. Anyone out there know of
>>> something a bit
>>> more BSD savvy?
>>> I've found a few things based on openBSD's pf, but that doesn't
>>> seem to be
>>> the default in BSD either.
>>> Any response appreciated.
If using pf, you can write rules like (original is one line):
pass in on $ext_if proto tcp from any to $ext_if port $tcp_login
flags
S/SA keep state (max-src-conn-rate 6/25, overload <bad_hosts>
flush global)
The rule follows traffic in ssh port (aliased $tcp_login in my config)
and in this case if the connection attempts exceed 6 in 25 seconds,
the offending IP is moved into "bad_hosts" table and ruleset is
flushed to get the blocking effective. The conn attempt/time ratio can
be about anything, I've found the one used good enough.
Then in the top of ruleset I have the following (the filtering rule
from above is further down):
block in quick on $ext_if from <bad_hosts>
The bad host table is initialised in my ruleset like this:
table <bad_hosts> persist { }
Just remeber to put it into right section of pf.conf.
pf is neat, thanks for the dev effort of getting it into FreeBSD
kernel!
-Reko
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011601c6dc37$70374460$0a0aa8c0>