What about using Snort in an IPS mode. I'm sure there is a rule out there to block a specific IP based on the number of times this even occurs.
Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Jul 21, 2009 at 9:00 AM, k_o_l<[email protected]> wrote: > > > > > From: Jeppe Øland [mailto:[email protected]] > Sent: Tuesday, July 21, 2009 5:04 AM > To: [email protected] > Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? > > > >>>> Some of my pfsense boxes get a lot of SSH bruteforces; is there a >>>> package >>>> like fail2ban out there which could automatically blacklist IPs after x >>> Request: It would be really nice if pfsense could limit the >>> connection-rate >>> *per IP*. > >> IIRC it is possible to set this per source-IP ;-) > > Maybe I missed an option then? > > How do you configure it? > > > >> Why leave you ssh service exposed to the world? Lock it down to a range >> of ip's > >> (or subnet of your isp), or if you don't have static ip's try setting up >> openvpn > >> IMO its best to expose as little as possible. > > > > Sometimes you have to expose it. > > I can't install OpenVPN on all PCs that I might need access to servers from, > and on mergency cellphone access to the servers it just might not be > possible. > > > > Best compromise I've found so far has been to require certificates to log in > to the SSH server. > > Hammering doesn't stop, but the risk of compromising the server is massively > reduced. > > And with lockdown after X connection attempts in Y seconds, the risk is all > but gone. > > (For the vast majority of servers at least ... maybe not if you run a bank > or some such) > > > > Regards, > > -Jeppe > > > > What is a good values to set? --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
