On 12/19/18 10:26 PM, Steve Fairhead wrote: > I already use pf.conf to protect my ssh port against such attacks > (rate-limiting). Can I do anything similar with pf for the openvpn port? > Don't want to block real users if they screw up once or twice... > although they are few enough that I can be super-aggressive in denying > access, and sort it out by phone...
The good thing about the pf.conf state tracking options is that they're service agnostic. Anything you can do for ssh, you can do with whatever variations you need in parameters for all other services that move on TCP. It's possible your ssh rate limiting rule is very close to what you need. You might take a peek at https://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html for inspirations if not exact instructions. You'll get the idea :) All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
