IP Banning for Multiple Attempts (Attacks) on Firewall?
This is just a question actually, maybe could be a feature request?
Is there a way, (or possible) to have pfSense put IP addresses of people in a sort of temporary pool that will block all access from them, if they say lauch an attack against the router.
Multiple attempts to attack the router results in a 6 hour ban. Something of that sort.
PS: Just installed the BETA2 and it's working great so far. Thanks guys!
That's a possible package request. You might want to add it to this thread: http://forum.pfsense.org/index.php?topic=6.0
I have added this on my web server to limit the SSH brute force attacks, and it works quite well.
But I would very much like to have it in the firewall instead of on the server because I think it belongs there and it is quite annoying when I, by accident, lock myself out for 10 minutes when connecting from a local client. Maybe I should just change it so it doesn't block 192.168.* addresses ;)
What it does is that it logs and blocks the third attempt and it just blocks the 4.+ to avoid my logs are flodded.
iptables -A INPUT -p tcp –dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP