Security blocking question
aaflatooni at yahoo.com
Fri Oct 16 03:54:22 UTC 2009
> > Is there a way that I could configure the server so that if there are for
> example X attempts from an IP address then for the next Y hours all the SSH
> requests would be ignored from that IP address? There are only a handful of
> people who have access to that server.
> In pf.conf:
> table persist
> block drop in log quick on $ext_if from
> pass in on $ext_if proto tcp \
> from any to $ext_if port ssh \
> flags S/SA keep state \
> (max-src-conn-rate 3/30, overload flush global)
> plus you'll need to add a cron job to clear old entries out of the
> table after a suitable amount of time has passed. Use expiretable to do
> that. Note: in practice I've found that it's a *really good idea* to implement
> a SSH whitelist of addresses that will never be bruteforce blocked like this --
> it's very easy to lock yourself out even if everything you're doing is entirely
> legitimate. Coding that is left as an exercise for the reader.
What is the best way of testing the PF rule? Is there a quick way to mimic a brute force?
Is there a way that I could review the content of the table through pfctl -s all
More information about the freebsd-questions