How to protect yourself from Brute Force Attack against ftp and ssh (bruteforce attacks).
Rare are servers today, which are not subject to constant attempts of bruteforce attacks.
It's hard to guess the 'strong' password by accidental search, but even incredible things happen occasionally. Considering the consequences of successful password guessing - better protect yourself in advance. By prohibiting the addresses of allegedly dangerous computers, we can reduce the risk of hostile activity.
So the initial conditions are: Allowing only 3 concurrent connections from one IP address to ssh, but no more than 20 attempts to connect per minute, as well as 5 concurrent connections to ftp and POP3, but not more than 20 times per minute. However, these constraints, for example, should not touch IP address 1.2.3.4.
The solution to this problem is:
echo '
table <safehosts> persist {1.2.3.4}
set skip on lo0
pass in all
pass out all
pass in quick from <safehosts>
block in quick from <bruteforce>
pass in proto tcp to any port ssh flags S / SA keep state (max-src-conn 3, max-src-conn-rate 20/60, overload <bruteforce> flush global)
pass in proto tcp to any port {ftp, pop3} flags S / SA keep state (max-src-conn 5, max-src-conn-rate 20/60, overload <bruteforce> flush global)
'> /etc/pf.conf
echo pf_enable = YES >> /etc/rc.conf
/etc/rc.d/pf start
You can read more about Brute Force Attack on this external link https://goo.gl/Sb8J6z
Also Read
