Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Banning after to much attempts SSH

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    5 Posts 3 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mavles
      last edited by

      Hi,
      I was wondering if there was a possibility to ban an IP for 30 min after 3 failed login attempts to my pfsense server on his SSH port. I'm using Pfsense 2.0-BETA1 built on Mon Mar 22 11:28:40 EDT 2010. And how can I lower the connection rates of a rule, example of rule:DNAT    net  dmz:10.10.10.102:22    tcp  3452  -  -    6/min:5
      Thanks,
      Mavles

      1 Reply Last reply Reply Quote 0
      • E
        Efonnes
        last edited by

        I know at least 2.0 already has some kind of limiting rules in place for its SSH server.  I'm unsure of what the exact limits are, however, or how long an IP address is blocked from accessing the SSH server when that limit is reached.

        1 Reply Last reply Reply Quote 0
        • N
          nocer
          last edited by

          hi,

          the built-in ssh lockout is already there and called sshlockout_pf, which activated from the syslog if there's anything relates to auth errors. the sshlockout_pf is pretty handy but really simplistic. max attempt is 10, max lockouts(# of hosts in the pf table) is 256, and the table is entirely cleared at every 3600 seconds by cron so that you can't control each every one of host.  go visit below for more detail;

          http://redmine.pfsense.org/repositories/entry/pfsense-tools/pfPorts/sshlockout_pf/files/sshlockout_pf.c?rev=cc98674e75bfd3b2d4117c65b73e13f54665da4d

          i'd rather recommend using bruteforceblocker instead, imho.

          cheers,

          1 Reply Last reply Reply Quote 0
          • M
            mavles
            last edited by

            Thanks for the bruteforceblocker. I think it would be a nice package for PfSense 2. This is a feature that would add a little bit more security(even for smtp ). What I'm doing now is close all ports on my Pfsense and dnat ssh to a debian machine with Fail2ban, and get an email when someone gets blocked. I try ed to use OpenVpn butt its so much slower then SSH, even in UDP mode. I try this bruteforceblocker out tomorrow and hope its not to difficult to setup. Still wondering for the rate control thing.
            Thanks for the reply.
            Sincerely,
            Mavles

            1 Reply Last reply Reply Quote 0
            • N
              nocer
              last edited by

              hi,

              max_attempts and timeout may work for you

              -OR-

              add this in your pf rules(or modify filter.inc 'cos reload wipes this rule).

              pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA keep state (max-src-conn-rate 3/10, overload <ssh-bruteforce>flush global)

              this rule really does good rate control but once host got banned, won't be removed from the table.

              cheers,</ssh-bruteforce>

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.