PF, The OpenBSD Packet Filter: Building The Network You Need: BSDCan, Ottawa, June 10th 2015 | ||
---|---|---|
Prev | Next |
Going back to the scenario from Turning Away The Brutes, here is a variation with queues:
pass log quick on $ext_if proto tcp to port ssh flags S/SA \ keep state (max-src-conn 15, max-src-conn-rate 5/3, \ overload <bruteforce> flush global) queue (ssh_bulk, ssh_interactive) set prio (5,7)
Supplement this with a queue definition for 512 b/s:
queue smallpipe parent main bandwidth 512
And that's all the bruteforcers get, once caught:
pass inet proto tcp from <bruteforce> to port $tcp_services queue smallpipe
(In fact, queues that small may be unenforceable due to timing relative to available bandwidth)