Block port(s) after a while



  • Hi !

    I know pfsense is not openwrt.. but there is a rule for iptables (with ipt module recent) to avoid things like this is there also a soluton for pfsense ?

    Sep 25 18:35:23 sshd[15995]: Failed password for invalid user ftp123 from 216.245.217.170 port 47969 ssh2
    Sep 25 18:35:23 sshd[15995]: Invalid user ftp123 from 216.245.217.170
    Sep 25 18:35:23 sshd[15994]: Failed password for invalid user asterisk from 216.245.217.170 port 47961 ssh2
    Sep 25 18:35:23 sshd[15994]: Invalid user asterisk from 216.245.217.170
    Sep 25 18:35:22 sshd[15956]: Failed password for invalid user ftp123 from 216.245.217.170 port 47293 ssh2
    Sep 25 18:35:22 sshd[15956]: Invalid user ftp123 from 216.245.217.170
    Sep 25 18:35:22 sshd[15954]: Failed password for invalid user asterisk from 216.245.217.170 port 47280 ssh2
    Sep 25 18:35:22 sshd[15954]: Invalid user asterisk from 216.245.217.170
    Sep 25 18:35:20 sshd[15853]: Failed password for invalid user ftp123 from 216.245.217.170 port 45765 ssh2
    Sep 25 18:35:20 sshd[15853]: Invalid user ftp123 from 216.245.217.170
    Sep 25 18:35:20 sshd[15863]: Failed password for invalid user asterisk from 216.245.217.170 port 45965 ssh2
    Sep 25 18:35:20 sshd[15863]: Invalid user asterisk from 216.245.217.170
    Sep 25 18:35:18 sshd[15826]: Failed password for invalid user oracle from 216.245.217.170 port 44309 ssh2
    Sep 25 18:35:18 sshd[15826]: Invalid user oracle from 216.245.217.170

    Ciao gerd



  • If snort is working at the moment this could help you.
    It's a package.

    Or you hit the 'Advanced' button in your SSH rule on WAN tab and enable/set some costum limits like max. connections /host  or /time frame.



  • Can somebody make a feature request for this so it does not get forgotten?

    pf has built in support for this it just needs to be exported.



  • @ermal:

    Can somebody make a feature request for this so it does not get forgotten?
    pf has built in support for this it just needs to be exported.

    for what ? snort support ?
    btw: as i wroteon top bofore i used openwrt (kamikaze) and this was done eith an iptables rule
    iptables -t nat -A prerouting_wan -p tcp –dport 22  -m state --state NEW
      -m recent --name ATTACKER_SSH --rsource --update --seconds 180 --hitcount 5 -j DROP
    iptables -t nat -A prerouting_wan -p tcp --dport 22  -m state --state NEW
      -m recent --name ATTACKER_SSH --rsource --set

    SSH

    iptables        -A input_wan      -p tcp --dport 22  -m state --state NEW -j ACCEPT

    thats all

    ciao gerd



  • Man iptables is UGLY i am glad BSD can make easy tools for people :).

    Yeah pf has teh same concept too but need to be exported to the gui.


Locked