On 22/12/2018 13:20, Stuart Henderson wrote:
>
> On 2018-12-20, Steve Fairhead<steve@fivetrees.com> wrote:
>> On 20/12/2018 13:20,torsten@cnc-london.net wrote:
>>> Try to add below to your pf.conf
>>>
>>> table <bruteforce> persist
>>>
>>> pass in on $ext_if inet proto tcp from any to $ext_if port 1194 \
>>> (max-src-conn 10, max-src-conn-rate 30/5, \
>>> overload <bruteforce> flush global)
>> This is pretty much exactly what I have for ssh scanners (with different
>> limits). Aha!
>>
>> On 20/12/2018 13:20,peter@bsdly.net wrote:
>>> The good thing about the pf.conf state tracking options is that they're
>>> service agnostic.
>> That's the bit I wasn't entirely sure about - thanks. Makes sense now -
>> of course! It's nothing to do with service, just connections. D'oh!
>>
>> I now have a cunning plan, a plan so cunning etc etc. Thanks to all who
>> responded, on- and off-list.
> That works for TCP. If you're running openvpn over UDP, as most people do,
> options are more limited - max-src-conn and max-src-conn-rate are not
> available. See the pf.conf manual for reasons.
>
Aw fork. Missed that detail. Will re-read.
A curious detail: the day after I posted my enquiry, brute-force attacks
dropped from several thousand a day to... 2 or 3. I hadn't yet made any
changes...
Steve
No comments:
Post a Comment