At 04:37 PM 8/21/2008, Brooks Davis wrote:
On Thu, Aug 21, 2008 at 10:10:42PM +0200, Rink Springer wrote:
> On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote:
> > Finally, consider moving to pf instead, if you really feel ipfw is
> > what's causing your machine to crash. You might be pleasantly surprised
> > by the syntax, and overall administrative usability (it is significantly
> > superior to ipfw, IMHO).
>
> In fact, pf can already do this out-of-the-box, by doing something like:
>
> table <sshlusers> persist
> pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep
> state \
> (max-src-conn 15, max-src-conn-rate 5/3, overload <sshlusers> flush
> global)
>
> If that is not an option, I have found that security/denyhosts works
> pretty well too (it just adds IP's to /etc/hosts.deniedssh, and
> host_access(5) denies them based on this)
You almost certainly don't want to rate limit ssh connections, only failed
ones. If you rate limit connections and use svn, you're likely to lock your
self out.
I find a happy balance is to exclude trusted CIDR blocks from the
rate limiting and let everything else be limited.
e.g.
table <bruteforce> persist
table <SSHTRUSTED> {192.168.0.0/16,1.0.0.0/24}
block log quick proto tcp from <bruteforce> to any port 22
block in log on $ext_if all
pass log quick proto { tcp } from {!<SSHTRUSTED>} to $myaddress port ssh \
flags S/SA keep state \
(max-src-conn 6, max-src-conn-rate 3/30, \
overload <bruteforce> flush global)
pass in on $ext_if inet proto tcp from <SSHTRUSTED> to $ext_if port
ssh keep state
and then a crontab entry
*/5 * * * * /usr/local/sbin/expiretable -v -t 5m bruteforce
---Mike
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
