From owner-freebsd-questions@FreeBSD.ORG  Mon Apr 16 19:13:44 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id E406916A404
	for <questions@freebsd.org>; Mon, 16 Apr 2007 19:13:44 +0000 (UTC)
	(envelope-from erik@cepheid.org)
Received: from mail.cepheid.org (wintermute.cepheid.org [64.92.165.98])
	by mx1.freebsd.org (Postfix) with ESMTP id C998A13C45A
	for <questions@freebsd.org>; Mon, 16 Apr 2007 19:13:44 +0000 (UTC)
	(envelope-from erik@cepheid.org)
Received: by mail.cepheid.org (Postfix, from userid 1006)
	id 38112170CE; Mon, 16 Apr 2007 13:43:15 -0500 (CDT)
Date: Mon, 16 Apr 2007 13:43:15 -0500
From: Erik Osterholm <erik-freebsd@erikosterholm.org>
To: Bill Moran <wmoran@potentialtech.com>
Message-ID: <20070416184315.GA93730@idoru.cepheid.org>
References: <20070415200255.18e6ab3f.wmoran@potentialtech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20070415200255.18e6ab3f.wmoran@potentialtech.com>
User-Agent: Mutt/1.4.2.2i
Cc: questions@freebsd.org
Subject: Re: Defending against SSH attacks with pf
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2007 19:13:45 -0000

On Sun, Apr 15, 2007 at 08:02:55PM -0400, Bill Moran wrote:
>
> There was some discussion on this list not too long ago, and someone
> asked if I was willing to make my pf config and the associated scripts
> I wrote for it public.  I would have posted on the original thread,
> but I can't find it now.
>
> Here is the information:
> http://www.potentialtech.com/cms/node/16
>
> --
> Bill Moran
> http://www.potentialtech.com

Hi Bill,

I hope you don't mind some suggestions!

Your table names (and anything else enclosed in less-than/greater-than
symbols) got lost, so using the appropriate escape characters in HTML
would be useful.

Also, pf tables can be loaded from files containing a list of IP
addresses or hostnames, one per line.  My table line is as follows:

table <sshbf> file "/etc/bruteforce_ssh"

I periodically save blocked hosts to this file using a script to
format and maintain uniqueness.  In this way, my blocks persist across
reboots.  I'm just as draconian as you are in my blocking policy!

Erik