Sshlockout



  • I'm not a dev, but I'm comfortable working on BSD and assorted variants. I was hoping someone with chops could assist me with editing the default values for the sshlockout script. Specifically, I would like for the table to remain static across reboots so that once an IP is in there, it's in there for good, and to be able to change the default amount of failed logins required to trigger a lockout from 15 to something more ominous, like 3. I've been tracking pfSense for a while now, and it seems that the values change from version to version. Maybe it could be considered to allow an administrator to manipulate these values from the webadmin page? 15 is nice for the script kiddies, but what worries me are the ones that try five or six times, wait a few days and try again. There are some persistent vermin out there… Anyway, any assistance would be greatly appreciated!



  • /etc/inc/system.inc has the code that write /var/etc/syslog.conf
    This does "exec /usr/local/sbin/sshlockout_pf 15"
    sshlockout_pf.c takes the failed attempt limit as a parameter.
    In the current system, you would have to manually edit /etc/inc/system.inc to change the parameter. If someone wanted to do the work, and the developers were happy to have this on the GUI, then it shouldn't be too difficult to add a field somewhere, probably on System:Advanced:Admin Access:Secure Shell to allow a user-specified limit.
    When I have put rules in to allow SSH access from the WAN, then I get sshlockouts from some IP address in Kenya! If you really need to get in directly by SSH when you are traveling, from home etc then block out countries you don't go to. If you have static IP at home and in other offices, then just allow those IPs into WAN. And set a really good password so it will take billions of guesses to crack it.



  • @phil.davis:

    /etc/inc/system.inc has the code that write /var/etc/syslog.conf
    This does "exec /usr/local/sbin/sshlockout_pf 15"
    sshlockout_pf.c takes the failed attempt limit as a parameter.
    In the current system, you would have to manually edit /etc/inc/system.inc to change the parameter. If someone wanted to do the work, and the developers were happy to have this on the GUI, then it shouldn't be too difficult to add a field somewhere, probably on System:Advanced:Admin Access:Secure Shell to allow a user-specified limit.
    When I have put rules in to allow SSH access from the WAN, then I get sshlockouts from some IP address in Kenya! If you really need to get in directly by SSH when you are traveling, from home etc then block out countries you don't go to. If you have static IP at home and in other offices, then just allow those IPs into WAN. And set a really good password so it will take billions of guesses to crack it.

    Mucho thanks for the really informative feedback, phil.davis. SO, if I understand correctly, changing the value of /usr/local/sbin/sshlockout_pf to 3 would cause sshlockout to block someone after 3 failed attempts? I'm going to reboot with the change and see if the change survives. Thanks again!



  • Yes, edit /etc/inc/system.inc - change the "15" to "3". That will happily survive reboots.
    Of course, when you update your pfSense software to a new version then you will get a new /etc/inc/system.inc and have to apply the edit again. Ideally, don't hack too many scripts on an installation - you have to keep a record of what you did and make sure to re-do it after every upgrade. It is better if the parameters that users want to set are available on the GUI. Maybe go to Redmine and submit a feature request.


Log in to reply