sshd brute force attempts?
Matthew Seaman
m.seaman at infracaninophile.co.uk
Tue Sep 19 23:01:02 PDT 2006
Peter N. M. Hansteen wrote:
> "Dan Mahoney, System Admin" <danm at prime.gushi.org> writes:
>
>> I've found a few things based on openBSD's pf, but that doesn't seem to be
>> the default in BSD either.
>
> Recent BSDs (all of them, FreeBSD 5.n/6.n included) have PF in the base system.
> 'overload' rules are fairly easy to set up, eg
>
> table <bruteforce> persist
>
> #Then somewhere fairly early in your rule set you set up to block from the bruteforcers
>
> block quick from <bruteforce>
>
> #And finally, your pass rule.
>
> pass inet proto tcp from any to $localnet port $tcp_services \
> flags S/SA keep state \
> (max-src-conn 100, max-src-conn-rate 15/5, \
> overload <bruteforce> flush global)
>
> for more detailed discussion see eg http://www.bgnett.no/~peter/pf/en/bruteforce.html
The really nice thing about this pf based technique is that it does not
need to scan log files (like most of the other brute force blockers). So
you can use it on a gateway firewall to protect a whole network of
machines behind it.
Although in that case having a whitelist of IPs that are always allowed
to connect would be sensible.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20060920/1cd476a4/signature.pgp
More information about the freebsd-questions
mailing list