[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Failed password for root...



On 5/21/05, Melameth, Daniel D. <[email protected]> wrote:
> tefol tefol wrote:
> > I manage several different pf firewalls around the country,  and so I
> > need to have ssh access allowed.  Occaisionally,  (more and more
> > often lately), I get script kiddies having a go at brute forcing my
> > root password (see below) or brute forcing a selection of guessed
> > account names (like guest, admin, root, ...)
> >
> > While I have quite secure passwords,  the blatting of my console is
> > something I object to quite highly.  Is there a way in PF to detect
> > all these failed ssh connection attempts from a single address in a
> > small time period and block them for a given time period?
> >
> > Is there something else I can use to do this more elegantly?
> Check the archives and see stateful tracking in 3.7's pf.conf manual...
> 
> 
> For example, the following rules will protect the webserver against
> hosts making more than 100 connections in 10 seconds.  Any host which
> connects faster than this rate will have its address added to the
> <bad_hosts> table and have all states originating from it flushed.  Any
> new packets arriving from this host will be dropped unconditionally by
> the block rule.
> 
> block quick from <bad_hosts>
> pass in on $ext_if proto tcp to $webserver port www flags S/SA keep
> state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
> 
or checkout
http://www.thinknerd.org/~ssc/wiki/doku.php?id=snort2pf
Kind Regards
Siju