Date: Wed, 27 Mar 2013 08:56:37 +1100 From: "Daniel O'Callaghan" <danny@clari.net.au> To: freebsd-questions@freebsd.org Subject: Re: Client Authentication Message-ID: <51521995.5080203@clari.net.au> In-Reply-To: <20130326171812.GA20118@shellx.eskimo.com> References: <B2DC7342-9F1A-489A-94F0-49802B1E5DF6@lafn.org> <20130326171812.GA20118@shellx.eskimo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27/03/2013 4:18 AM, Joseph Olatt wrote:
>> Any ideas/suggestions on this will be appreciated. Thanks,
>> >
>> >-- Doug
> A little while back I wrote a system to do a simple Two Factor
> Authentication and dynamic manipulation of PF (Packet Filter) Tables. I
> created it to prevent brute-force attacks on the servers that I have
> exposed on the Internet.
I'm happy to share a program I wrote which slows down the brute force
attackers.
It simply counts the SYN packets from a given IP and limits the rate per
minute by dropping the packet if they are coming too fast.
Uses ipfw divert sockets, so would work if you prefer ipfw over pf.
If you have a known set of OK IP addresses, you can allow them in ipfw
rules before the packets get passed through ratelimit.
ratelimit usage:
-p <size> maximum packet size (default: 16384 bytes)
-d <port> divert port number (default: 1)
-r <rate> rate at which 50% of packets are dropped (default: 4)
-f <rate> rate at which 100% of packets are dropped (default: 8)
-l <secs> number of seconds to sleep between syslog() calls
(default: 30)
-z path path of pidfile (default: /var/run/ratelimit.pid)
-h this message
Have you looked at simply using a non-standard port?
Danny
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51521995.5080203>