Date: Wed, 20 Sep 2006 07:45:43 +0200 From: peter@bgnett.no (Peter N. M. Hansteen) To: freebsd-questions@freebsd.org Subject: Re: sshd brute force attempts? Message-ID: <878xkff5vc.fsf@amidala.kakemonster.bsdly.net> In-Reply-To: <20060919165400.A4380@prime.gushi.org> (Dan Mahoney's message of "Tue, 19 Sep 2006 16:55:48 -0400 (EDT)") References: <20060919165400.A4380@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Dan Mahoney, System Admin" <danm@prime.gushi.org> writes:
> I've found a few things based on openBSD's pf, but that doesn't seem to be
> the default in BSD either.
Recent BSDs (all of them, FreeBSD 5.n/6.n included) have PF in the base system.
'overload' rules are fairly easy to set up, eg
table <bruteforce> persist
#Then somewhere fairly early in your rule set you set up to block from the bruteforcers
block quick from <bruteforce>
#And finally, your pass rule.
pass inet proto tcp from any to $localnet port $tcp_services \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
for more detailed discussion see eg http://www.bgnett.no/~peter/pf/en/bruteforce.html
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?878xkff5vc.fsf>