Security blocking question

Matthew Seaman m.seaman at
Fri Oct 16 07:30:28 UTC 2009

Aflatoon Aflatooni wrote:
>>> Is there a way that I could configure the server so that if there are for 
>> example X attempts from an IP address then for the next Y hours all the SSH 
>> requests would be ignored from that IP address? There are only a handful of 
>> people who have access to that server.
>> Yes.
>> In pf.conf:
>> table persist
>> [...]
>> block drop in log quick on $ext_if from 
>> [...]
>> pass in on $ext_if proto tcp      \
>>     from any to $ext_if port ssh \
>>     flags S/SA keep state        \
>>     (max-src-conn-rate 3/30, overload flush global)
>> plus you'll need to add a cron job to clear old entries out of the 
>> ssh-bruteforce
>> table after a suitable amount of time has passed.  Use expiretable to do
>> that.  Note: in practice I've found that it's a *really good idea* to implement 
>> a SSH whitelist of addresses that will never be bruteforce blocked like this -- 
>> it's very easy to lock yourself out even if everything you're doing is entirely 
>> legitimate.  Coding that is left as an exercise for the reader.
> What is the best way of testing the PF rule? Is there a quick way to mimic a brute force? 
> Is there a way that I could review the content of the table through pfctl -s all

To test, you need access to a machine not in your whitelist from where you
can try ssh'ing into the protected machine several times in rapid sequence.
3 times in 30s sounds quite fast, but it is actually not to hard to achieve
accidentally, especially if you use tools like rsync over SSH transport.  You
should have a login concurrently from some other IP or on the console, otherwise
you will lock yourself out.

To see what IPs have been added to the ssh-bruteforce table and when and what
traffic has been blocked:

   # pfctl -vv -t ssh-bruteforce -T show

To manually delete an IP from the ssh-bruteforce table:

   # pfctl -t ssh-bruteforce -T delete

As noted elsewhere in this thread, instead of using expiretable, you can run this
out of cron to expire addresses over a day old from the ssh-bruteforce blocklist:

   # pfctl -t ssh-bruteforce -T expire 86400

The pfctl(8) man page is pretty illuminating.



PS.  Got to love the way that HTML-ising e-mail has deleted the table name
from the examples above.  I hope you could actually read it unmunged. Plain
text rools!

Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-questions mailing list