sshd brute force attempts?
Peter N. M. Hansteen
peter at bgnett.no
Tue Sep 19 22:45:47 PDT 2006
"Dan Mahoney, System Admin" <danm at prime.gushi.org> writes:
> I've found a few things based on openBSD's pf, but that doesn't seem to be
> the default in BSD either.
Recent BSDs (all of them, FreeBSD 5.n/6.n included) have PF in the base system.
'overload' rules are fairly easy to set up, eg
table <bruteforce> persist
#Then somewhere fairly early in your rule set you set up to block from the bruteforcers
block quick from <bruteforce>
#And finally, your pass rule.
pass inet proto tcp from any to $localnet port $tcp_services \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
for more detailed discussion see eg http://www.bgnett.no/~peter/pf/en/bruteforce.html
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
20:11:56 delilah spamd: 220.127.116.11: disconnected after 36099 seconds
More information about the freebsd-questions