tefol tefol wrote: > I manage several different pf firewalls around the country, and so I > need to have ssh access allowed. Occaisionally, (more and more > often lately), I get script kiddies having a go at brute forcing my > root password (see below) or brute forcing a selection of guessed > account names (like guest, admin, root, ...) > > While I have quite secure passwords, the blatting of my console is > something I object to quite highly. Is there a way in PF to detect > all these failed ssh connection attempts from a single address in a > small time period and block them for a given time period? > > Is there something else I can use to do this more elegantly?
> May 20 13:03:29 gateway sshd[25056]: Failed password for root from > 69.0.238.65 port 46233 ssh2 > May 20 13:03:29 gateway sshd[25056]: Failed password for root from > 69.0.238.65 port 46233 ssh2 > May 20 13:03:32 gateway sshd[30463]: Failed password for root from > 69.0.238.65 port 46283 ssh2 > May 20 13:03:32 gateway sshd[30463]: Failed password for root from > 69.0.238.65 port 46283 ssh2 > May 20 13:03:34 gateway sshd[7587]: Failed password for root from > 69.0.238.65 port 46346 ssh2 Check the archives and see stateful tracking in 3.7's pf.conf manual... For example, the following rules will protect the webserver against hosts making more than 100 connections in 10 seconds. Any host which connects faster than this rate will have its address added to the <bad_hosts> table and have all states originating from it flushed. Any new packets arriving from this host will be dropped unconditionally by the block rule. block quick from <bad_hosts> pass in on $ext_if proto tcp to $webserver port www flags S/SA keep state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
