Security blocking question

Aflatoon Aflatooni aaflatooni at
Fri Oct 16 03:54:22 UTC 2009

> > 
> > Is there a way that I could configure the server so that if there are for 
> example X attempts from an IP address then for the next Y hours all the SSH 
> requests would be ignored from that IP address? There are only a handful of 
> people who have access to that server.
> Yes.
> In pf.conf:
> table persist
> [...]
> block drop in log quick on $ext_if from 
> [...]
> pass in on $ext_if proto tcp      \
>     from any to $ext_if port ssh \
>     flags S/SA keep state        \
>     (max-src-conn-rate 3/30, overload flush global)
> plus you'll need to add a cron job to clear old entries out of the 
> ssh-bruteforce
> table after a suitable amount of time has passed.  Use expiretable to do
> that.  Note: in practice I've found that it's a *really good idea* to implement 
> a SSH whitelist of addresses that will never be bruteforce blocked like this -- 
> it's very easy to lock yourself out even if everything you're doing is entirely 
> legitimate.  Coding that is left as an exercise for the reader.

What is the best way of testing the PF rule? Is there a quick way to mimic a brute force? 
Is there a way that I could review the content of the table through pfctl -s all



More information about the freebsd-questions mailing list