2009/7/22 Jeppe Øland <[email protected]>:
>>>>>> Some of my pfsense boxes get a lot of SSH bruteforces; is there a
>>>>>> package like fail2ban out there which could automatically blacklist
>>>>>> IPs after x
>>>>> Request: It would be really nice if pfsense could limit the
>>>>> connection-rate *per IP*.
>>>> IIRC it is possible to set this per source-IP ;-)
>>> Maybe I missed an option then?
>>> How do you configure it?
>> This is configured through the Advanced options in each Filter-Rule.
>> Ich you set 5 Connection see attached picture ;-)
>
> The way I read these options are:
> * Simultaneous client connection limit
> The number of simultaneous connections each client can have.
> * Maximum new connections / per second
> Global maximum connection limits.
also related per Source-IP, so far as i understand the lines in
XML-Backup-File right
the pf-filter itself supports it in this way, and i think pfsense use
it in this way...
as you can see...
====snip===8<=====
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes>5</max-src-nodes>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<max-src-conn-rate>5</max-src-conn-rate>
<max-src-conn-rates>60</max-src-conn-rates>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>mcip</address>
<port>22</port>
</destination>
<descr>limited ssh access to max 5 conn/host 5
conn/minute</descr>
</rule>
=====>8=====snap=========
> The first option will limit how many concurrent SSH sessions I can run from
> any one IP.
> The second option will limit how many connections can be attempted per
> interval.
> As far as I know, setting a client connection limit will *not* prevent the
> connection/time limit from killing you in case somebody starts hammering the
> server.
it does you prevent, because its related to each own source-ip....if i
was right...
> Am I not reading these options right?
> (Some documentation would be nice too *G*)
>> Yes, only using SSH-Keys is an very good option, but not useful if you
>> are on the Way or you have your keys not by hand..... ;-)
>
> Indeed everything is a compromise.
> Changing the port also has issues since some admins won't allow all ports
> outbound (of course they might not allow SSH out either).
:-D you could set it to allowed common port, ok ok , this brings
propably other issues.....
using port 80 or 443 or 25 is not really nice....
> Regards,
> -Jeppe
regards
michael
--
= = = m i c h a e l - s c h u h . n e t = = =
Projektmanagement - IT-Consulting - Professional Services IT
Michael Schuh
Postfach 10 21 52
66021 Saarbrücken
phone: 0681/8319664
mobil: 0175/5616453
@: m i c h a e l . s c h u h @ g m a i l . c o m
= = = Ust-ID: DE251072318 = = =
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
