-----Ursprungligt meddelande----- Från: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] För Chris Lobkowicz Skickat: den 26 juli 2012 01:26 Till: misc@openbsd.org Ämne: Re: sshguard
I use both. Sshguard seems to catch a lot, and the subsequent pf ruleset for max-src-conn seems to catch a fair bit as well. Here is a snip of my pf.conf: # SSHguard protection table <sshguard> persist block in quick on em0 proto tcp from <sshguard> to any port ssh label "sshguard" # Bruteforce Protection table <bruteforce> persist counters block log (all) quick from <bruteforce> pass log (all) proto tcp to port ssh keep state (max-src-conn 5, max-src-conn-rate 5/120, overload <bruteforce>) As for the selectivity on services, I've never used it, so your mileage may vary, but I do believe sshguard will monitor a service, and block the offender on that service, and leave the other services access alone. Let us know how it goes. Cheers Chris On 25/07/2012 11:15, Alvaro Mantilla Gimenez wrote: > Is it a better solution than pf rules based on max-src-conn and/or > max-src-conn-rate? > > According to the documentation sshguard add ip address to <sshguard> > table....so....what about if I want to "selectively" block ip address > to some services and let other services open? (i.e.: one ip offending > ssh access but still I want to have smtp open for that ip). I can > accomplish that with different tables/rules on pf...is there any way > to differentiate IPs blocked by sshguard based on the offended service? (ssh, smtp,..). I'm running both too :-) but with a slightly different twist on bruteforce and a "catch all" on sshguard. block in quick on egress from <sshguard> label "sshguard" Quote from their website : http://www.sshguard.net/docs/setup/firewall/pf/ Replace $ext_if with your WAN interface name if needed. Omit the proto tcp and the to any port 22 segment if you want to block all the traffic from attackers (not just ssh). /hasse
