有在管理有提供public service的機器的人應該都有被來自四面八方的機器踹sshd過,
被踹就被踹也不會怎樣啦, 不過看了終究有點討厭.

有些現成的套件就是為了解決這個問題(e.x. security/sshit),
不過其實 FreeBSD 6之後內建的 pf 就可以做到這樣的效果

/etc/rc.conf加上:
pf_enable="YES" # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf.local"

/etc/pf.conf.local:
table { 127.0.0.1, 10.0.0.0/24, 10.0.1.0/24, ...etc }

# Packet Filter Default Setting
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 50000, frags 25000 }
set optimization normal
set block-policy drop
set state-policy if-bound
set require-order yes
set fingerprints "/etc/pf.os"
set debug none

# ssh(trust-zone)
pass in quick proto tcp from to any port 22

# ssh(untrust)
pass in proto tcp from any to any port 22 flags S/SFRA keep state (max-src-conn-rate 3/30, overload flush global)
pass out proto tcp from any to any port 22 keep state
block drop in quick from

在 trust zone 那裡加上你想要跳過這規則的 ip.

之後 sh /etc/rc.d/pf start 即可

實際套用的結果:
每天從被踹幾百次~幾千次不等, 減為每天只有個位數~十幾次 XD

另, 可以搭配 security/expiretable 清理一下ssh-bruteforce 這個 table


Izero 發表在 痞客邦 PIXNET 留言(0) 人氣()