Nathan Lay wrote:
I employed this solution:
http://johan.fredin.info/openbsd/block_ssh_bruteforce.html

You have to enable pf, but man it works and it works well!

Agreed.  I use a slight modification of this configuration on
a number of firewalls.  As specified in the page referenced above,
the rule set causes /any/ too-rapid spate of SSH connections to
get you locked out, and that includes legitimate users too. Simple modification is to add a whitelist table for addresses that you never
want to lock out:

table <static-whitelist> const { \
   12.34.56.78                  \
   ...                           \
} persist
table <ssh-bruteforce> persist

[...]

block drop in log quick on $ext_if from <ssh-bruteforce>

[...]

pass in on $ext_if proto tcp                      \
    from !<static-whitelist> to $ext_if port ssh \
    flags S/SA keep state                        \
    (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
pass in on $ext_if proto tcp                      \
    from <static-whitelist> to $ext_if port ssh  \
    flags S/SA keep state

        Cheers,

        Matthew

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to