Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question Auto Reject IP?

    Firewalling
    3
    4
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      g0dsp33d
      last edited by

      Well on the new Bridge Traffic Shaper I setup has already had an attempted brute force on the pfSense. No they didn't get it but after a few hundered tries it just gets annoying filling up the logs.

      Is there anyway that pfSense in the Firewall rules will meet a certain criteria and block an IP automatically?

      I don't all that well understand the Advanced Options and the State Type as I figured it is something along those lines.

      1 Reply Last reply Reply Quote 0
      • G
        g0dsp33d
        last edited by

        http://forum.pfsense.org/index.php?topic=753.msg5693#msg5693

        ok i'm an idiot, my answer was right under my nose.

        Thanks.

        I have added this on my web server to limit the SSH brute force attacks, and it works quite well.

        But I would very much like to have it in the firewall instead of on the server because I think it belongs there and it is quite annoying when I, by accident, lock myself out for 10 minutes when connecting from a local client. Maybe I should just change it so it doesn't block 192.168.* addresses Wink

        What it does is that it logs and blocks the third attempt and  it just blocks the 4.+  to avoid my logs are flodded.

        iptables -A INPUT -p tcp –dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
        iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
        iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
        iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP

        1 Reply Last reply Reply Quote 0
        • R
          rsw686
          last edited by

          You can set it on the pfsense box in the rules. Edit the rule you have for ssh. Under the advanced options section you can specify the number of new connections per second. I have mine set 4 per 240 seconds. I have verified this and if you ssh more than 4 times in 4 min the connections will just timeout. The thing I don't like is that in the firewall log is still shows each connection after 4 as accepted. I think it should show blocked.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            We just recently fixed this problem.  The block rule for the overflow table was not in place.

            This will appear in beta4.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.