Peter N. M. Hansteen wrote: > "Dan Mahoney, System Admin" <[EMAIL PROTECTED]> writes: > >> I've found a few things based on openBSD's pf, but that doesn't seem to be >> the default in BSD either. > > Recent BSDs (all of them, FreeBSD 5.n/6.n included) have PF in the base > system. > 'overload' rules are fairly easy to set up, eg > > table <bruteforce> persist > > #Then somewhere fairly early in your rule set you set up to block from the > bruteforcers > > block quick from <bruteforce> > > #And finally, your pass rule. > > pass inet proto tcp from any to $localnet port $tcp_services \ > flags S/SA keep state \ > (max-src-conn 100, max-src-conn-rate 15/5, \ > overload <bruteforce> flush global) > > for more detailed discussion see eg > http://www.bgnett.no/~peter/pf/en/bruteforce.html
The really nice thing about this pf based technique is that it does not
need to scan log files (like most of the other brute force blockers). So
you can use it on a gateway firewall to protect a whole network of
machines behind it.
Although in that case having a whitelist of IPs that are always allowed
to connect would be sensible.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
