Security blocking question
Aflatoon Aflatooni
aaflatooni at yahoo.com
Fri Oct 16 03:54:22 UTC 2009
> >
> > Is there a way that I could configure the server so that if there are for
> example X attempts from an IP address then for the next Y hours all the SSH
> requests would be ignored from that IP address? There are only a handful of
> people who have access to that server.
>
> Yes.
>
> In pf.conf:
>
> table persist
>
> [...]
>
> block drop in log quick on $ext_if from
>
> [...]
>
> pass in on $ext_if proto tcp \
> from any to $ext_if port ssh \
> flags S/SA keep state \
> (max-src-conn-rate 3/30, overload flush global)
>
> plus you'll need to add a cron job to clear old entries out of the
> ssh-bruteforce
> table after a suitable amount of time has passed. Use expiretable to do
> that. Note: in practice I've found that it's a *really good idea* to implement
> a SSH whitelist of addresses that will never be bruteforce blocked like this --
> it's very easy to lock yourself out even if everything you're doing is entirely
> legitimate. Coding that is left as an exercise for the reader.
>
What is the best way of testing the PF rule? Is there a quick way to mimic a brute force?
Is there a way that I could review the content of the table through pfctl -s all
Thanks
More information about the freebsd-questions
mailing list