Nathan Lay wrote:
I employed this solution: http://johan.fredin.info/openbsd/block_ssh_bruteforce.htmlYou have to enable pf, but man it works and it works well!
Agreed. I use a slight modification of this configuration on a number of firewalls. As specified in the page referenced above, the rule set causes /any/ too-rapid spate of SSH connections toget you locked out, and that includes legitimate users too. Simple modification is to add a whitelist table for addresses that you never
want to lock out:
table <static-whitelist> const { \
12.34.56.78 \
... \
} persist
table <ssh-bruteforce> persist
[...]
block drop in log quick on $ext_if from <ssh-bruteforce>
[...]
pass in on $ext_if proto tcp \
from !<static-whitelist> to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
pass in on $ext_if proto tcp \
from <static-whitelist> to $ext_if port ssh \
flags S/SA keep state
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
