derekm
join:2008-02-26
 ·TekSavvy Solutions..
 ·Rogers Hi-Speed
1 edit | reply to LiQuiD
Re: Update on Throttling: Part 2...
said by LiQuiD  :No matter what port number you use, eventually you'll get scans. What I've done to avoid them is set the sysctl on fbsd to drop syn+fin (not perfect, but marked improvement) and b: a buddy of mine and myself once created a perl script that would parse my /var/log/auth.log (or wherever connection attempts are logged) every hour and find numerous attempts from an IP and add them to a table for pf to chew on. I then had a cronjob that would reload the table into pf every hour. Needless to say, it was a table of unwelcomed hosts, and reloading it caused it to be added to the addresses blocked by my gateway. LiQuiD, thanks for further confirming SCP/SSH findings.
A related note, I'm using pf and this rule simplifies the process for me:
table <badneighbors> persist
pass in on $ext_if inet proto tcp from any to any \
port { ssh } flags S/SA keep state \
(max-src-conn 3, max-src-conn-rate 5/3, \
overload <badneighbors> flush global)
I'm also running security/expiretable to timeout old entries, although I think in 7.0-RELEASE and above, you can do something like pfctl -t bruteforce -T expire 86400 (in OpenBSD 4.1 and above)
You may wish to throw POP3, or other services behind that little puppy too. |
