Hello Everybody,
Faced like a lot of you with ssh bruteforce automated
attempts on my OpenBSD 3.8 box, I searched the web to
see what others did to protect themselves against
this.
I made the same, forbiding ssh connections with
password and opting for public key authentication, but
that was of no help trying to clean a little bit my
/var/log/authlog becoming bigger and bigger.
That's when I found the elegant solution of rate
limiting connections (putting here just the useful
lines) :
table <bruteforce> persist
# Block ssh bruteforcers
block quick from <bruteforce>
# ssh with connection rate limit max 3 tries every 10
seconds
pass in quick on $external inet proto tcp from any to
any \
port ssh flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 3/10, \
overload <bruteforce> flush global)
I had a look from time to time to see if I catched
some "noisy crackers" and saw that the trick was
working. BUT, surprisingly at some time the table
"self cleaned" and I was astonished as normally the
"persist" keyword should keep all those enemys' IP
until next reboot, isn'it ?
Is there a way to set timeout setting for a given pf
table ?
Thank your for your help and/or suggestions.
Tr0go
___________________________________________________________________________
Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs
exceptionnels pour appeler la France et l'international.
Téléchargez sur http://fr.messenger.yahoo.com
