• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Question Auto Reject IP?

Scheduled Pinned Locked Moved Firewalling
4 Posts 3 Posters 2.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    g0dsp33d
    last edited by Apr 6, 2006, 2:43 PM

    Well on the new Bridge Traffic Shaper I setup has already had an attempted brute force on the pfSense. No they didn't get it but after a few hundered tries it just gets annoying filling up the logs.

    Is there anyway that pfSense in the Firewall rules will meet a certain criteria and block an IP automatically?

    I don't all that well understand the Advanced Options and the State Type as I figured it is something along those lines.

    1 Reply Last reply Reply Quote 0
    • G
      g0dsp33d
      last edited by Apr 6, 2006, 3:35 PM

      http://forum.pfsense.org/index.php?topic=753.msg5693#msg5693

      ok i'm an idiot, my answer was right under my nose.

      Thanks.

      I have added this on my web server to limit the SSH brute force attacks, and it works quite well.

      But I would very much like to have it in the firewall instead of on the server because I think it belongs there and it is quite annoying when I, by accident, lock myself out for 10 minutes when connecting from a local client. Maybe I should just change it so it doesn't block 192.168.* addresses Wink

      What it does is that it logs and blocks the third attempt and  it just blocks the 4.+  to avoid my logs are flodded.

      iptables -A INPUT -p tcp –dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
      iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
      iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
      iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP

      1 Reply Last reply Reply Quote 0
      • R
        rsw686
        last edited by May 9, 2006, 1:05 AM

        You can set it on the pfsense box in the rules. Edit the rule you have for ssh. Under the advanced options section you can specify the number of new connections per second. I have mine set 4 per 240 seconds. I have verified this and if you ssh more than 4 times in 4 min the connections will just timeout. The thing I don't like is that in the firewall log is still shows each connection after 4 as accepted. I think it should show blocked.

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by May 9, 2006, 1:18 AM

          We just recently fixed this problem.  The block rule for the overflow table was not in place.

          This will appear in beta4.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received