有在管理有提供public service的機器的人應該都有被來自四面八方的機器踹sshd過,
被踹就被踹也不會怎樣啦, 不過看了終究有點討厭.
有些現成的套件就是為了解決這個問題(e.x. security/sshit),
不過其實 FreeBSD 6之後內建的 pf 就可以做到這樣的效果
/etc/rc.conf加上:
pf_enable="YES" # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf.local"
/etc/pf.conf.local:
table
# Packet Filter Default Setting
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 50000, frags 25000 }
set optimization normal
set block-policy drop
set state-policy if-bound
set require-order yes
set fingerprints "/etc/pf.os"
set debug none
# ssh(trust-zone)
pass in quick proto tcp from
# ssh(untrust)
pass in proto tcp from any to any port 22 flags S/SFRA keep state (max-src-conn-rate 3/30, overload
pass out proto tcp from any to any port 22 keep state
block drop in quick from
在 trust zone 那裡加上你想要跳過這規則的 ip.
之後 sh /etc/rc.d/pf start 即可
實際套用的結果:
每天從被踹幾百次~幾千次不等, 減為每天只有個位數~十幾次 XD
另, 可以搭配 security/expiretable 清理一下ssh-bruteforce 這個 table
留言列表
