From owner-freebsd-questions@FreeBSD.ORG Tue Mar 26 21:57:14 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8BEBBDB5 for ; Tue, 26 Mar 2013 21:57:14 +0000 (UTC) (envelope-from danny@clari.net.au) Received: from fallbackmx08.syd.optusnet.com.au (fallbackmx08.syd.optusnet.com.au [211.29.132.10]) by mx1.freebsd.org (Postfix) with ESMTP id 2BB0339C for ; Tue, 26 Mar 2013 21:57:13 +0000 (UTC) Received: from mail02.syd.optusnet.com.au (mail02.syd.optusnet.com.au [211.29.132.183]) by fallbackmx08.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id r2QLv5KO011621 for ; Wed, 27 Mar 2013 08:57:06 +1100 Received: from [192.168.100.102] (c114-76-1-137.eburwd4.vic.optusnet.com.au [114.76.1.137]) by mail02.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id r2QLuvQq015667 for ; Wed, 27 Mar 2013 08:56:59 +1100 Message-ID: <51521995.5080203@clari.net.au> Date: Wed, 27 Mar 2013 08:56:37 +1100 From: "Daniel O'Callaghan" User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Client Authentication References: <20130326171812.GA20118@shellx.eskimo.com> In-Reply-To: <20130326171812.GA20118@shellx.eskimo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.0 cv=C62xUnz+ c=1 sm=1 a=rXgAR6YtUHgA:10 a=8nJEP1OIZ-IA:10 a=ejE0-8HIAAAA:8 a=A9Znw9LtFpAA:10 a=pJ5tzdSAau_WYwAIyjkA:9 a=wPNLvfGTeEIA:10 a=TwJpsSjOaUdsDrgp:21 a=9k4frR42rj5mP9lE:21 a=+rVrtY7z3DVyADW7HUk29Q==:117 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 21:57:14 -0000 On 27/03/2013 4:18 AM, Joseph Olatt wrote: >> Any ideas/suggestions on this will be appreciated. Thanks, >> > >> >-- Doug > A little while back I wrote a system to do a simple Two Factor > Authentication and dynamic manipulation of PF (Packet Filter) Tables. I > created it to prevent brute-force attacks on the servers that I have > exposed on the Internet. I'm happy to share a program I wrote which slows down the brute force attackers. It simply counts the SYN packets from a given IP and limits the rate per minute by dropping the packet if they are coming too fast. Uses ipfw divert sockets, so would work if you prefer ipfw over pf. If you have a known set of OK IP addresses, you can allow them in ipfw rules before the packets get passed through ratelimit. ratelimit usage: -p maximum packet size (default: 16384 bytes) -d divert port number (default: 1) -r rate at which 50% of packets are dropped (default: 4) -f rate at which 100% of packets are dropped (default: 8) -l number of seconds to sleep between syslog() calls (default: 30) -z path path of pidfile (default: /var/run/ratelimit.pid) -h this message Have you looked at simply using a non-standard port? Danny