SSH Brute Force attempts
Henrik Hudson
rhavenn at rhavenn.net
Tue Sep 30 04:00:04 UTC 2008
On Monday 29 September 2008, Rich Healey <healey.rich at gmail.com> sent a
missive stating:
> Recently I'm getting a lot of brute force attempts on my server, in the
> past I've used various tips and tricks with linux boxes but many of them
> were fairly linux specific.
>
> What do you BSD guys use for this purpose?
>
> If this belongs on -security let me know and I'll ask over there.
>
> Cheers
>
>
> Rich
Yeap, -security
However, also try this in pf.conf (specific rules related to this; you'll need
more for a real pf.conf):
table <badguys> { } persist
block in quick from <badguys>
pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state
(max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
This will add "badguys" to the table if they connect more then 4 times in 300
seconds.
Then use the expiretables port from a cronjob to remove IPs if you feel like
it.
Henrik
--
Henrik Hudson
rhavenn at rhavenn.net
------------------------------
"There are 10 kinds of people in the world: Those who
understand binary and those who don't..."
More information about the freebsd-hackers
mailing list