I've looked around and found several linux-centric things designed to block brute-force SSH attempts. Anyone out there know of something a bit
more BSD savvy?

I've found a few things based on openBSD's pf, but that doesn't seem to be
the default in BSD either.

Any response appreciated.

If using pf, you can write rules like (original is one line):

pass in on $ext_if proto tcp from any to $ext_if port $tcp_login flags
  S/SA keep state (max-src-conn-rate 6/25, overload <bad_hosts>
  flush global)

The rule follows traffic in ssh port (aliased $tcp_login in my config) and in this case if the connection attempts exceed 6 in 25 seconds, the offending IP is moved into "bad_hosts" table and ruleset is flushed to get the blocking effective. The conn attempt/time ratio can be about anything, I've found the one used good enough.

Then in the top of ruleset I have the following (the filtering rule from above is further down):

  block in quick on $ext_if from <bad_hosts>

The bad host table is initialised in my ruleset like this:

  table <bad_hosts> persist { }

Just remeber to put it into right section of pf.conf.

pf is neat, thanks for the dev effort of getting it into FreeBSD kernel!

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to