Date: Mon, 29 Sep 2008 19:39:41 -0800 From: Henrik Hudson <rhavenn@rhavenn.net> To: freebsd-hackers@freebsd.org Cc: Rich Healey <healey.rich@gmail.com> Subject: Re: SSH Brute Force attempts Message-ID: <200809291939.41533.rhavenn@rhavenn.net> In-Reply-To: <48E16E93.3090601@gmail.com> References: <48E16E93.3090601@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 29 September 2008, Rich Healey <healey.rich@gmail.com> sent a
missive stating:
> Recently I'm getting a lot of brute force attempts on my server, in the
> past I've used various tips and tricks with linux boxes but many of them
> were fairly linux specific.
>
> What do you BSD guys use for this purpose?
>
> If this belongs on -security let me know and I'll ask over there.
>
> Cheers
>
>
> Rich
Yeap, -security
However, also try this in pf.conf (specific rules related to this; you'll need
more for a real pf.conf):
table <badguys> { } persist
block in quick from <badguys>
pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state
(max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
This will add "badguys" to the table if they connect more then 4 times in 300
seconds.
Then use the expiretables port from a cronjob to remove IPs if you feel like
it.
Henrik
--
Henrik Hudson
rhavenn@rhavenn.net
------------------------------
"There are 10 kinds of people in the world: Those who
understand binary and those who don't..."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809291939.41533.rhavenn>