Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Many people use something like denyhosts or fail2ban to help with brute force attacks. PF has built-in support for building rules with options which will throw potential attackers into a 'penalty box' based on certain factors like connection rate.


You can use iptables for that:

  $ sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

  $ sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
Copied from http://kvz.io/blog/2007/07/28/block-brute-force-attacks-with... but I agree that pf ist just much more sane config wise.


Since nftables is supposed to be backwards compatible, I'd guess it can do this too. I wonder what it'll look like for that. A lot of the other syntax looks nicer, i suspect that this will be better too.


That one I haven't seen before, I wonder if the new nftables might be able to implement any of that. Based on the state machine specs probably not, since I don't think there's any storage or any way for it to generate new rules on itself based on what I've read.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: