pf vs null route
bc979 at lafn.org
Mon Jun 15 21:46:51 UTC 2009
My web server is always being attacked by people trying to guess our
user's passwords. Most of the time the ids they try are not in use so
there is only a log entry and a bit of packet time involved. However,
eventually they are likely to guess a valid id and password. Some of
our users have very weak passwords. Granted they will only be able to
get to the user's personal web space, but that would be inconvenient
for the user.
For a long time I have been using null routes for the persistent
attacks (set a route of 127.0.0.2 for their adddress in the route
table). This works fine. We still get the first SYN packet, but
nothing after that. I do have pf running on several of our servers
for other purposes and have been thinking about replacing the null
routes with a blocking table using pf. The question is which scales
better? My guess based on presumed implementation techniques is that
pf will scale better. I currently have a table for incoming mail that
has over 100K entries and there is no noticable effect on mail
processing times. Unfortunately I can't tell if that is because I
also don't have any good way to determine if there were any effects.
pf would certainly provide additional capabilites, but given the
limited use of this server, I don't see any need for anything more.
Since we provide telnet and ftp access for users to their personal web
pages, I keep anything important on another server.
More information about the freebsd-questions