How to prevent Bruteforce
Install Bruteblock
cd /usr/ports/security/bruteblock; make && make install
Configure Bruteblock
vi /usr/local/etc/bruteblock/ssh.conf
Add line similar to following example according to your log in auth.log
also you can use line below for commercial SSH
OR
the line already in your current setting is good enough for standard installation.
regexp2 = sshd2.*connection from \"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\"
Change max_count to
max_count = 10 (10 tries)
Change within_time to
within_time = 45 (within 45 second)
Change reset_ip to
reset_ip = 3600 (Block for 1 Hr.)
Enable bruteblock to the rc.conf
bruteblockd_enable="YES" bruteblockd_table="1" bruteblockd_flags="-s 60"
Add following line to /etc/firewall as second entry after flush or you can edit your standard firewall rule file
add deny ip from table(1) to any
Apply the changes
ipfw -f /etc/firewall
Add following line to /etc/syslog.conf
auth.info;authpriv.info |exec /usr/local/sbin/bruteblock -f /usr/local/etc/bruteblock/ssh.conf
restart syslogd
/etc/rc.d/syslogd restart
start bruteblockd
/usr/local/etc/rc.d/bruteblockd.sh start
How to check blocked IP
ipfw table 1 list
How to flush table
ipfw table 1 flush
Anything else in mind - GOOGLE it
Using IPFW limiting source
This will help you keep you server live during any DDOS or bruteforce.
also, make person frustrated due to slow scan.
ipfw add allow tcp from xx.xx.xx.xx/24 to any setup limit src-addr 10 ipfw add allow tcp from any to me setup limit src-addr 4
NOTE : First rule is for your internal network. replace xx.xx.xx.xx your internal network.
