Tr0go wrote: > Hello Everybody, > > Faced like a lot of you with ssh bruteforce automated > attempts on my OpenBSD 3.8 box, I searched the web to > see what others did to protect themselves against > this. > > I made the same, forbiding ssh connections with > password and opting for public key authentication, but > that was of no help trying to clean a little bit my > /var/log/authlog becoming bigger and bigger. > > That's when I found the elegant solution of rate > limiting connections (putting here just the useful > lines) : > > table <bruteforce> persist > > # Block ssh bruteforcers > block quick from <bruteforce> > > # ssh with connection rate limit max 3 tries every 10 > seconds > pass in quick on $external inet proto tcp from any to > any \ > port ssh flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 3/10, \ > overload <bruteforce> flush global) > > I had a look from time to time to see if I catched > some "noisy crackers" and saw that the trick was > working. BUT, surprisingly at some time the table > "self cleaned" and I was astonished as normally the > "persist" keyword should keep all those enemys' IP > until next reboot, isn'it ? > > Is there a way to set timeout setting for a given pf > table ? > > Thank your for your help and/or suggestions. > Tr0go > > > > > > > ___________________________________________________________________________ > Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs > exceptionnels pour appeler la France et l'international. > Téléchargez sur http://fr.messenger.yahoo.com
I have a very long list mine has never blanked out. Matter of fact because of policy I started using cron to pipe it to a flat file and clear it out myself but before that I know I had 40 days or more of ip's in that list which was I guest about 350 ip's. If you search the list archives you will find this has been discussed many times before and find the example just recently on what I did using what Daniel suggested. I have never seen one just blank out on it's on though. -- http://www.digitalrage.org/ The Information Technology News Center
