PF to Preventing SMTP Brute Force Attacks
Paul Mather
paul at gromit.dlib.vt.edu
Fri Jun 15 17:12:52 UTC 2012
On Jun 15, 2012, at 12:55 PM, Shiv. Nath wrote:
> # START
> table bruteforce persist
> block in log quick from bruteforce
>
> pass in on $ext_if proto tcp \
> from any to $ext_if port $trusted_tcp_ports \
> flags S/SA keep state \
> (max-src-conn-rate 3/300, overload bruteforce flush global)
>
> # END
>
> AND CRON:
> */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null
> 2>&1
>
> What is the function "expire 604800" are they entries in the table?
> should it be -t bruteforce or -t ssh-bruteforce
It refers to entries in the table specified by the "-t" option and instructs pf to expire (remove from the table) all entries older than the specified time (in seconds). Basically, the value 604800 will expire entries older than 1 week.
For the above pf rules, the cron entry should be "-t bruteforce" (although in the pf rules you should be using "<bruteforce>").
Cheers,
Paul.
More information about the freebsd-stable
mailing list