> Limiting yourself to 200 states won't protect you very much -- you tend > to get a whole series of attacks from the same IP, and that just uses > one state at a time. > > Instead, look at the frequency with which an attacker tries to connect > to you. Something like this: > > table <bruteforce> persist > > [...] > > block in log quick from <bruteforce> > > [...] > > pass in on $ext_if proto tcp \ > from any to $ext_if port $trusted_tcp_ports \ > flags S/SA keep state \ > (max-src-conn-rate 3/300, overload <bruteforce> flush global) > > Plus you'll need a cron job like this to clean up the bruteforce table, > otherwise it will just grow larger and larger: > > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null > 2>&1 > > The end result of this is that if one IP tries to connect to you more > than 3 times in 5 minutes, they will get blacklisted. I normally use > this just for ssh, so you might want to adjust the parameters > appropriately. You should also implement a whitelist for IP ranges you > control or use frequently and that will never be used for bruteforce > attacks: it is quite easy to block yourself out with these sort of rules. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
Dear Mattthew, Grateful for sending me in right direction, solution really sounds well. Does it look good configuration for "/etc/pf.conf" ? # START table bruteforce persist block in log quick from bruteforce pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) # END AND CRON: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null 2>&1 What is the function "expire 604800" are they entries in the table? should it be -t bruteforce or -t ssh-bruteforce Thanks _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"