Date: Wed, 20 Sep 2006 01:03:28 +0300 From: "Reko Turja" <reko.turja@liukuma.net> To: <questions@freebsd.org> Subject: Re: sshd brute force attempts? Message-ID: <011601c6dc37$70374460$0a0aa8c0@rivendell> References: <20060919165400.A4380@prime.gushi.org><70e8236f0609191412p5779d94cqa16df5631f4de916@mail.gmail.com> <4464fjd009.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> I've looked around and found several linux-centric things designed >>> to >>> block brute-force SSH attempts. Anyone out there know of >>> something a bit >>> more BSD savvy? >>> I've found a few things based on openBSD's pf, but that doesn't >>> seem to be >>> the default in BSD either. >>> Any response appreciated. If using pf, you can write rules like (original is one line): pass in on $ext_if proto tcp from any to $ext_if port $tcp_login flags S/SA keep state (max-src-conn-rate 6/25, overload <bad_hosts> flush global) The rule follows traffic in ssh port (aliased $tcp_login in my config) and in this case if the connection attempts exceed 6 in 25 seconds, the offending IP is moved into "bad_hosts" table and ruleset is flushed to get the blocking effective. The conn attempt/time ratio can be about anything, I've found the one used good enough. Then in the top of ruleset I have the following (the filtering rule from above is further down): block in quick on $ext_if from <bad_hosts> The bad host table is initialised in my ruleset like this: table <bad_hosts> persist { } Just remeber to put it into right section of pf.conf. pf is neat, thanks for the dev effort of getting it into FreeBSD kernel! -Reko
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011601c6dc37$70374460$0a0aa8c0>