Question Auto Reject IP?



  • Well on the new Bridge Traffic Shaper I setup has already had an attempted brute force on the pfSense. No they didn't get it but after a few hundered tries it just gets annoying filling up the logs.

    Is there anyway that pfSense in the Firewall rules will meet a certain criteria and block an IP automatically?

    I don't all that well understand the Advanced Options and the State Type as I figured it is something along those lines.



  • http://forum.pfsense.org/index.php?topic=753.msg5693#msg5693

    ok i'm an idiot, my answer was right under my nose.

    Thanks.

    I have added this on my web server to limit the SSH brute force attacks, and it works quite well.

    But I would very much like to have it in the firewall instead of on the server because I think it belongs there and it is quite annoying when I, by accident, lock myself out for 10 minutes when connecting from a local client. Maybe I should just change it so it doesn't block 192.168.* addresses Wink

    What it does is that it logs and blocks the third attempt and  it just blocks the 4.+  to avoid my logs are flodded.

    iptables -A INPUT -p tcp –dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 600 --hitcount 4 --rttl --name SSH -j DROP
    iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
    iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP



  • You can set it on the pfsense box in the rules. Edit the rule you have for ssh. Under the advanced options section you can specify the number of new connections per second. I have mine set 4 per 240 seconds. I have verified this and if you ssh more than 4 times in 4 min the connections will just timeout. The thing I don't like is that in the firewall log is still shows each connection after 4 as accepted. I think it should show blocked.



  • We just recently fixed this problem.  The block rule for the overflow table was not in place.

    This will appear in beta4.


Log in to reply