Thursday, June 09, 2005

OpenBSD Network Protection - Summary

It works! Much more efficient and responsive than the first solution. Caught another kiddie yesterday, he only managed to get 13 attempts in a 25 second window before the system blocked him.

I changed the trigger rate after some additional testing after the previous post. 10/60 is much more realistic. Ideally it should be somewhere in the region of 5/60, but I'm being a bit conservative as that's how I connect to my home machines and I don't feel like locking myself out.

So, to summarise, the best way to tune your OpenBSD firewall to protect your systems from brute force dictionary attacks is to use the following rule format:

block quick from
pass in on $ext_if proto tcp to $target_ip_address port $port_to_protect flags S/SA keep state (max-src-conn-rate $connections_per_second_to_trigger, overload flush)

The trigger rate can be tuned to your level of paranoia, but I've found that having a long window to monitor in helps considerably.

Now, let's see if I can get automated abuse reporting going once I've caught these little buggers...

0 Comments:

Post a Comment

<< Home