Banning after to much attempts SSH
I was wondering if there was a possibility to ban an IP for 30 min after 3 failed login attempts to my pfsense server on his SSH port. I'm using Pfsense 2.0-BETA1 built on Mon Mar 22 11:28:40 EDT 2010. And how can I lower the connection rates of a rule, example of rule:DNAT net dmz:10.10.10.102:22 tcp 3452 - - 6/min:5
I know at least 2.0 already has some kind of limiting rules in place for its SSH server. I'm unsure of what the exact limits are, however, or how long an IP address is blocked from accessing the SSH server when that limit is reached.
the built-in ssh lockout is already there and called sshlockout_pf, which activated from the syslog if there's anything relates to auth errors. the sshlockout_pf is pretty handy but really simplistic. max attempt is 10, max lockouts(# of hosts in the pf table) is 256, and the table is entirely cleared at every 3600 seconds by cron so that you can't control each every one of host. go visit below for more detail;
i'd rather recommend using bruteforceblocker instead, imho.
Thanks for the bruteforceblocker. I think it would be a nice package for PfSense 2. This is a feature that would add a little bit more security(even for smtp ). What I'm doing now is close all ports on my Pfsense and dnat ssh to a debian machine with Fail2ban, and get an email when someone gets blocked. I try ed to use OpenVpn butt its so much slower then SSH, even in UDP mode. I try this bruteforceblocker out tomorrow and hope its not to difficult to setup. Still wondering for the rate control thing.
Thanks for the reply.
max_attempts and timeout may work for you
add this in your pf rules(or modify filter.inc 'cos reload wipes this rule).
pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA keep state (max-src-conn-rate 3/10, overload <ssh-bruteforce>flush global)
this rule really does good rate control but once host got banned, won't be removed from the table.