Thousands of ssh probes

Matthew Seaman m.seaman at
Fri Mar 5 16:01:38 UTC 2010

Hash: SHA1

On 05/03/2010 15:44:39, John wrote:
> Maybe I'll have to learn how to do a VPN from FreeBSD....
> One thought that occurs to me is that pf tables would provide a
> direct API without having to hit a database.
> I think I really like this.  I may have to implement it for pf. 
> It should be really easy with CGI and calls to pfctl.

There's already a mechanism whereby you can connect into a PF firewall
and have it open up extra access for you, all controlled by ssh keys.


Not only that, but you can dynamically block brute force attempts to
crack SSH passwords using just PF -- no need to scan through auth.log or
use an external database.  You need something like this in pf.conf:

table <ssh-bruteforce> persist

[...near the top of the rules section...]
block drop in log quick on $ext_if from <ssh-bruteforce>

[...later in the rules section...]
pass in on $ext_if proto tcp      \
     from any to $ext_if port ssh \
     flags S/SA keep state        \
     (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)

This adds IPs to the ssh-bruteforce table if there are too frequent
attempts to connect from them (more than 3 within 30 seconds in this
case) and so blocks all further access.

You need to run a cron job to clear out old entries from the
ssh-bruteforce table or it will grow continually over time:

*/12 * * * *	/sbin/pfctl -t ssh-bruteforce -T expire 86400 >/dev/null 2>&1



- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
                                                  Kent, CT11 9PW
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla -


More information about the freebsd-questions mailing list