2009/7/21 Jeppe Øland <jol...@gmail.com>: >>>> Some of my pfsense boxes get a lot of SSH bruteforces; is there a >>>> package >>>> like fail2ban out there which could automatically blacklist IPs after x >>> Request: It would be really nice if pfsense could limit the >>> connection-rate >>> *per IP*. >> IIRC it is possible to set this per source-IP ;-) > > Maybe I missed an option then? > How do you configure it?
This is configured through the Advanced options in each Filter-Rule. Ich you set 5 Connection see attached picture ;-) >> Why leave you ssh service exposed to the world? Lock it down to a range >> of ip's >> (or subnet of your isp), or if you don't have static ip's try setting up >> openvpn >> IMO its best to expose as little as possible. > > Sometimes you have to expose it. > I can't install OpenVPN on all PCs that I might need access to servers from, > and on mergency cellphone access to the servers it just might not be > possible. > Best compromise I've found so far has been to require certificates to log in > to the SSH server. > Hammering doesn't stop, but the risk of compromising the server is massively > reduced. > And with lockdown after X connection attempts in Y seconds, the risk is all > but gone. > (For the vast majority of servers at least ... maybe not if you run a bank > or some such) > Regards, > -Jeppe Yes, only using SSH-Keys is an very good option, but not useful if you are on the Way or you have your keys not by hand..... ;-) regards michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = =
<<attachment: advanced.png>>
--------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org