IP Banning for Multiple Attempts (Attacks) on Firewall?

  • This is just a question actually, maybe could be a feature request?

    Is there a way, (or possible) to have pfSense put IP addresses of people in a sort of temporary pool that will block all access from them, if they say lauch an attack against the router.

    Multiple attempts to attack the router results in a 6 hour ban. Something of that sort.

    PS: Just installed the BETA2 and it's working great so far. Thanks guys!

  • That's a possible package request. You might want to add it to this thread: http://forum.pfsense.org/index.php?topic=6.0

  • I have added this on my web server to limit the SSH brute force attacks, and it works quite well.

    But I would very much like to have it in the firewall instead of on the server because I think it belongs there and it is quite annoying when I, by accident, lock myself out for 10 minutes when connecting from a local client. Maybe I should just change it so it doesn't block 192.168.* addresses ;)

    What it does is that it logs and blocks the third attempt and  it just blocks the 4.+  to avoid my logs are flodded.

    iptables -A INPUT -p tcp –dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
    iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
    iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP