On 22/12/2018 13:20, Stuart Henderson wrote:
On 2018-12-20, Steve Fairhead<st...@fivetrees.com> wrote:
On 20/12/2018 13:20,tors...@cnc-london.net wrote:
Try to add below to your pf.conf
table <bruteforce> persist
pass in on $ext_if inet proto tcp from any to $ext_if port 1194 \
(max-src-conn 10, max-src-conn-rate 30/5, \
overload <bruteforce> flush global)
This is pretty much exactly what I have for ssh scanners (with different
limits). Aha!
On 20/12/2018 13:20,pe...@bsdly.net wrote:
The good thing about the pf.conf state tracking options is that they're
service agnostic.
That's the bit I wasn't entirely sure about - thanks. Makes sense now -
of course! It's nothing to do with service, just connections. D'oh!
I now have a cunning plan, a plan so cunning etc etc. Thanks to all who
responded, on- and off-list.
That works for TCP. If you're running openvpn over UDP, as most people do,
options are more limited - max-src-conn and max-src-conn-rate are not
available. See the pf.conf manual for reasons.
Aw fork. Missed that detail. Will re-read.
A curious detail: the day after I posted my enquiry, brute-force attacks
dropped from several thousand a day to... 2 or 3. I hadn't yet made any
changes...
Steve
