Rate Limit by Attempts Per Time
-
Hi All,
Sorry maybe I should post this in traffic shapers..
I have a secure SSH gateway that is very adequately protected by times per second rate limiting in RHEL Firewalld.
Is there any way to do this in PFSense? Rather than on the node?
-
@Jake-Biker There are a handful of settings which should do what you're looking for. See this page:
https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#maximum-state-entries-this-rule-can-create -
Thanks all - It doesn't seem to reset - what am I doing wrong?
Regards
Jake
-
Like after the number of connections set it doesn't allow more?
What exactly did you set?
-
Is there a generally accepted value(s) when it comes to max state entries or max state for fully established? These options can protect the firewall during a ddos event but is there any guidance to what a threshold should be? I have a busy webfarm for a client so I’m curious if this is worth looking deeper into
-
@michmoor I’d (wild) guess it would vary widely depending on the server capacity and web site. One server might handle thousands of simultaneous static page requests while another could only handle dozens to hundreds of PHP pages. Also pfSense might be set with one rule for each web server, or one combined rule. Also, what should the (valid) visitor see, a slow site or connection failure?
-
I am using
Max Connections = 2 (To Allow two connections only from each host through the rule - some of our guys like two SSH Windows open)
Max.Src.Conn.Rate = 4
Max.Src.Conn.Rates = 30
State Timout = 30And its not working as I expected - I am hoping for 4 attempts to connect every 30 seconds - sure enough after the forth it locks, but the state stays locked against that host and doesn't reset.
I've obviously misread / misconfigured - any suggestions please?
I actually have to reset the FW to let the rule pass again ...dohMost grateful
Jake
-
Hosts that exceed the limit are added to the virusprot table. You can remove them from that table manually.
Hosts in that table are expired after 1 hour. You can see that in the cronjob called for it. You could change that.
Steve
-
OK I see ...
This is slightly different from the rate limit I use in UFW or Firewalld ...
In which the state auto resets.
One assumes that as long as the limit of 4 in 30 seconds isn't exceeded the host isn't written and therefore will never require deletion with the Chron Job.
I suppose maybe set the limit a little higher to resolve accidents - but leave the 1 hour Chron job -
I did think of using my usual Fail2Ban - but I think this will work well as the SSH is protected with MFA any robot will immediately be blocked after hitting it so fast, and the times taken after lock to unlock will make any brute force practically beyond impossible - the MFA would stop em when they don't have the second device which is push notification so --- impossible. virtually.
Thanks for your input
