Thousands of ssh probes
Matthew Seaman
m.seaman at infracaninophile.co.uk
Fri Mar 5 16:01:38 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/03/2010 15:44:39, John wrote:
> Maybe I'll have to learn how to do a VPN from FreeBSD....
>
> One thought that occurs to me is that pf tables would provide a
> direct API without having to hit a database.
>
> I think I really like this. I may have to implement it for pf.
> It should be really easy with CGI and calls to pfctl.
There's already a mechanism whereby you can connect into a PF firewall
and have it open up extra access for you, all controlled by ssh keys.
See: http://www.openbsd.org/faq/pf/authpf.html
Not only that, but you can dynamically block brute force attempts to
crack SSH passwords using just PF -- no need to scan through auth.log or
use an external database. You need something like this in pf.conf:
table <ssh-bruteforce> persist
[...near the top of the rules section...]
block drop in log quick on $ext_if from <ssh-bruteforce>
[...later in the rules section...]
pass in on $ext_if proto tcp \
from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
This adds IPs to the ssh-bruteforce table if there are too frequent
attempts to connect from them (more than 3 within 30 seconds in this
case) and so blocks all further access.
You need to run a cron job to clear out old entries from the
ssh-bruteforce table or it will grow continually over time:
*/12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 86400 >/dev/null 2>&1
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuRKtwACgkQ8Mjk52CukIyodQCfZ42OO6DstB5TFCY49uP0KaZl
Y+wAn3sBhwad03EGKioC7vBhcqE2vHvP
=awJ9
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list