| PF, The OpenBSD Packet Filter: Building The Network You Need: BSDCan, Ottawa, June 10th 2015 | ||
|---|---|---|
| Prev | Next | |
A variation on Turning Away The Brutes:
pass log quick on $ext_if proto tcp to port ssh \
queue (ssh_bulk, ssh_interactive)becomes
pass log quick on $ext_if proto tcp to port ssh \
keep state (max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global) \
queue (ssh_bulk, ssh_interactive)where
queue smallpipe bandwidth 1kb cbq
and
pass inet proto tcp from <bruteforce> to port $tcp_services \
queue smallpipe