sshd brute force attempts?
Reko Turja
reko.turja at liukuma.net
Tue Sep 19 15:03:27 PDT 2006
>>> I've looked around and found several linux-centric things designed
>>> to
>>> block brute-force SSH attempts. Anyone out there know of
>>> something a bit
>>> more BSD savvy?
>>> I've found a few things based on openBSD's pf, but that doesn't
>>> seem to be
>>> the default in BSD either.
>>> Any response appreciated.
If using pf, you can write rules like (original is one line):
pass in on $ext_if proto tcp from any to $ext_if port $tcp_login
flags
S/SA keep state (max-src-conn-rate 6/25, overload <bad_hosts>
flush global)
The rule follows traffic in ssh port (aliased $tcp_login in my config)
and in this case if the connection attempts exceed 6 in 25 seconds,
the offending IP is moved into "bad_hosts" table and ruleset is
flushed to get the blocking effective. The conn attempt/time ratio can
be about anything, I've found the one used good enough.
Then in the top of ruleset I have the following (the filtering rule
from above is further down):
block in quick on $ext_if from <bad_hosts>
The bad host table is initialised in my ruleset like this:
table <bad_hosts> persist { }
Just remeber to put it into right section of pf.conf.
pf is neat, thanks for the dev effort of getting it into FreeBSD
kernel!
-Reko
More information about the freebsd-questions
mailing list