> Aflatoon Aflatooni wrote: > >>> Is there a way that I could configure the server so that if there are for > >> example X attempts from an IP address then for the next Y hours all the > >> SSH > requests would be ignored from that IP address? There are only a handful of > people who have access to that server. > >> > >> Yes. > >> > >> In pf.conf: > >> > >> table persist > >> > >> [...] > >> > >> block drop in log quick on $ext_if from > >> [...] > >> > >> pass in on $ext_if proto tcp \ > >> from any to $ext_if port ssh \ > >> flags S/SA keep state \ > >> (max-src-conn-rate 3/30, overload flush global) > >> > >> plus you'll need to add a cron job to clear old entries out of the > ssh-bruteforce > >> table after a suitable amount of time has passed. Use expiretable to do > >> that. Note: in practice I've found that it's a *really good idea* to > implement a SSH whitelist of addresses that will never be bruteforce blocked > like this -- it's very easy to lock yourself out even if everything you're > doing > is entirely legitimate. Coding that is left as an exercise for the reader. > >> > > > > What is the best way of testing the PF rule? Is there a quick way to mimic > > a > brute force? Is there a way that I could review the content of the table > through > pfctl -s all > > To test, you need access to a machine not in your whitelist from where you > can try ssh'ing into the protected machine several times in rapid sequence. > 3 times in 30s sounds quite fast, but it is actually not to hard to achieve > accidentally, especially if you use tools like rsync over SSH transport. You > should have a login concurrently from some other IP or on the console, > otherwise > you will lock yourself out. > > To see what IPs have been added to the ssh-bruteforce table and when and what > traffic has been blocked: > > # pfctl -vv -t ssh-bruteforce -T show > > To manually delete an IP from the ssh-bruteforce table: > > # pfctl -t ssh-bruteforce -T delete 12.34.56.78 > > As noted elsewhere in this thread, instead of using expiretable, you can run > this > out of cron to expire addresses over a day old from the ssh-bruteforce > blocklist: > > # pfctl -t ssh-bruteforce -T expire 86400 > > The pfctl(8) man page is pretty illuminating. > > Cheers, > > Matthew >
Thanks, I have the following in my pf.conf: ext_if="bge0" # Public Services -- smtp, http, pop3s tcpPubServices = "{ 25, 80, 995 }" set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set limit { states 10000, frags 5000 } #set loginterface none set optimization normal set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" set skip on lo0 # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all pass out all block in log all table <sshBruteForce> { } block in quick from <sshBruteForce> to any pass in on $ext_if inet proto tcp from any to any port $tcpPubServices flags S/SA synproxy state pass in on $ext_if inet proto tcp from any to any port ssh modulate state (source-track rule max-src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60 overload <sshBruteForce> flush global) And I have tried to make a lot of ssh connections to the box and killing them with ctrl-c or bad-password but nothing gets added to the table. There isn't anything in the log either. How would I go about figuring out what is wrong? Thanks _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"