NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Fwd: brute force/dictionary attacks

One day I'll learn how to reply-to-list. :)

---------- Forwarded message ----------
From: Ian Clark <>
Date: 28 September 2011 12:04
Subject: Re: brute force/dictionary attacks
To: Al - Image Hosting Services <>

On 26 September 2011 17:30, Al - Image Hosting Services
<> wrote:
> Hi,
[snip POPing]
> Does anyone know if there is a way to hold the connection open with the pop3
> client much like is done with smtp (tar pit) or if I could limit the number
> of SYN packets? I would like to do something to slow them down.
> Maybe someone has a better suggestion on how to deal with this kind of
> attack.
As Greg A. Woods suggests, using something like pf to filter incoming
packets is probably a good first step.

Have a look at the pass syntax, you can do something like (in /etc/pf.conf):-

<--------- cut
table <auto_ban> persist


block quick from {<auto_ban>}
block quick to {<auto_ban>}


pass in log quick from any to any port 110 keep state \
 (max-src-conn 4,max-src-conn-rate 8/10,overload <auto_ban> flush global)

<-------- cut

This defines a table for banned IPs, then says 'block any IP in this
table', the pass statement uses rate limiting to decide what IPs to
add to the ban pool, ie if you connect too frequently or try and open
more than 4 connections. man pf.conf explains these better than I can.

I also have the following in roots cron:

0       2       *       *       *       /sbin/pfctl -t auto_ban -T expire 86400

Which expires bans over 86400 seconds old at 2AM every day.



Home | Main Index | Thread Index | Old Index