Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Mar 2013 08:56:37 +1100
From:      "Daniel O'Callaghan" <danny@clari.net.au>
To:        freebsd-questions@freebsd.org
Subject:   Re: Client Authentication
Message-ID:  <51521995.5080203@clari.net.au>
In-Reply-To: <20130326171812.GA20118@shellx.eskimo.com>
References:  <B2DC7342-9F1A-489A-94F0-49802B1E5DF6@lafn.org> <20130326171812.GA20118@shellx.eskimo.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 27/03/2013 4:18 AM, Joseph Olatt wrote:
>> Any ideas/suggestions on this will be appreciated.  Thanks,
>> >
>> >-- Doug
> A little while back I wrote a system to do a simple Two Factor
> Authentication and dynamic manipulation of PF (Packet Filter) Tables. I
> created it to prevent brute-force attacks on the servers that I have
> exposed on the Internet.
I'm happy to share a program I wrote which slows down the brute force 
attackers.
It simply counts the SYN packets from a given IP and limits the rate per 
minute by dropping the packet if they are coming too fast.

Uses ipfw divert sockets, so would work if you prefer ipfw over pf.

If you have a known set of OK IP addresses, you can allow them in ipfw 
rules before the packets get passed through ratelimit.

ratelimit usage:

     -p <size>     maximum packet size (default: 16384 bytes)
     -d <port>     divert port number (default: 1)
     -r <rate>     rate at which 50% of packets are dropped (default: 4)
     -f <rate>     rate at which 100% of packets are dropped (default: 8)
     -l <secs>     number of seconds to sleep between syslog() calls 
(default: 30)
     -z path       path of pidfile (default: /var/run/ratelimit.pid)
     -h            this message

Have you looked at simply using a non-standard port?

Danny



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?51521995.5080203>