Hello Paul, I've considered that, but in this instance, it's not an option. I agree that limiting exposure is a good first step, but I think brute force protection regardless of source address could be a valuable next step. SSH keys ensure that the accounts won't actually be breached; it's just irritating to me that clearly hostile traffic is allowed to attack the service for as long as it pleases.
Plus it clutters up the logs and uses some CPU/bandwidth resources - and while I have plenty of both, 'waste not, want not'! :) Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC -----Original Message----- From: Paul Cockings [mailto:p...@cytringan.co.uk] Sent: Tuesday, July 21, 2009 1:00 AM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? Jeppe Øland wrote: > >> Some of my pfsense boxes get a lot of SSH bruteforces; is there a > package > >> like fail2ban out there which could automatically blacklist IPs > after x bad > >> logins? > > b) limit the connection-rate to a preferred useful value in the > filter-rules > > This works reasonably well. > Unfortunately, the entire rule gets locked down when the rate is > exceeded, so you may lock yourself out too. (It automatically unlocks > when the hammering stops and your rate interval expires, and most > hammer scripts move on to a new IP when it stops responding, so it's > not the end of the world). > > Request: It would be really nice if pfsense could limit the > connection-rate *per IP*. > > Regards, > -Jeppe Why leave you ssh service exposed to the world? Lock it down to a range of ip's (or subnet of your isp), or if you don't have static ip's try setting up openvpn IMO its best to expose as little as possible. regards, Pc --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org