I'm not creative enough for this, and you can't help me.

Stopping SSH SPAM with PF!

August 6, 2008 in FreeBSD, Networking

If you’ve put a server accepting SSH connections on the internet you’ve probably noticed a TON of failed login attempts from various IP addresses and various (seemingly generic) usernames.  If not, you probably should have, and you may not be up to running a server if you don’t look at logs from time to time.

Either way, there’s a quick & easy way to try to stop these annoying bots or whatever they are from bugging your server with PF.  Basically, on your rule where you pass SSH connections in through the firewall you can set a ‘max-src-conn-rate’ or maximum source connection rate.  What this does is triggers something to happen when a host connects faster than a certain rate of allowed new connections.  In our case we’ll want to dump these users into a table that blocks everything from them.  So we create the table:

table <ssh-bruteforce> persist

The rule to drop people who are clearly spamming into our ssh-bruteforce table is:

pass in on $ext_if inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn-rate 4/30, overload <ssh-bruteforce> flush global)

Where the connection rate is 4 connections in 30 seconds (4/30).  From this point on, you just want to block them.  You can do that with:

block in log quick on $ext_if from <ssh-bruteforce>

Now anybody who tries to esablish connections faster than the rate specified in the pass rule gets dumped into that table, and blocked from accessing anything at all on your server. 

mhoran++