Date: Fri, 05 Mar 2010 16:01:32 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: John <john@starfire.mn.org> Cc: mikel king <mikel.king@olivent.com>, Programmer In Training <pit@joseph-a-nagy-jr.us>, freebsd-questions@freebsd.org Subject: Re: Thousands of ssh probes Message-ID: <4B912ADC.1040802@infracaninophile.co.uk> In-Reply-To: <20100305154439.GA17456@elwood.starfire.mn.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <F4960422-5F59-4FF4-A2E4-1F0A4772B78B@olivent.com> <20100305154439.GA17456@elwood.starfire.mn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/03/2010 15:44:39, John wrote: > Maybe I'll have to learn how to do a VPN from FreeBSD.... > > One thought that occurs to me is that pf tables would provide a > direct API without having to hit a database. > > I think I really like this. I may have to implement it for pf. > It should be really easy with CGI and calls to pfctl. There's already a mechanism whereby you can connect into a PF firewall and have it open up extra access for you, all controlled by ssh keys. See: http://www.openbsd.org/faq/pf/authpf.html Not only that, but you can dynamically block brute force attempts to crack SSH passwords using just PF -- no need to scan through auth.log or use an external database. You need something like this in pf.conf: table <ssh-bruteforce> persist [...near the top of the rules section...] block drop in log quick on $ext_if from <ssh-bruteforce> [...later in the rules section...] pass in on $ext_if proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) This adds IPs to the ssh-bruteforce table if there are too frequent attempts to connect from them (more than 3 within 30 seconds in this case) and so blocks all further access. You need to run a cron job to clear out old entries from the ssh-bruteforce table or it will grow continually over time: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 86400 >/dev/null 2>&1 Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuRKtwACgkQ8Mjk52CukIyodQCfZ42OO6DstB5TFCY49uP0KaZl Y+wAn3sBhwad03EGKioC7vBhcqE2vHvP =awJ9 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B912ADC.1040802>