> >
> > Is there a way that I could configure the server so that if there are for
> example X attempts from an IP address then for the next Y hours all the SSH
> requests would be ignored from that IP address? There are only a handful of
> people who have access to that server.
>
> Yes.
>
> In pf.conf:
>
> table persist
>
> [...]
>
> block drop in log quick on $ext_if from
>
> [...]
>
> pass in on $ext_if proto tcp \
> from any to $ext_if port ssh \
> flags S/SA keep state \
> (max-src-conn-rate 3/30, overload flush global)
>
> plus you'll need to add a cron job to clear old entries out of the
> ssh-bruteforce
> table after a suitable amount of time has passed. Use expiretable to do
> that. Note: in practice I've found that it's a *really good idea* to
> implement
> a SSH whitelist of addresses that will never be bruteforce blocked like this
> --
> it's very easy to lock yourself out even if everything you're doing is
> entirely
> legitimate. Coding that is left as an exercise for the reader.
>
What is the best way of testing the PF rule? Is there a quick way to mimic a
brute force?
Is there a way that I could review the content of the table through pfctl -s all
Thanks
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
