i have a ssh served by a ubuntu behind a pfsense, i would like to block "CHINA" from ssh-ing and or any other 5th failure to auth. seeing as 3 attempts would be a refused connection thus kick backed to local pc
root is not ssh able but still they try
im drunk but see china being an ass to my stuff how do i stop and add to a block list after 5th failure on the server itself or pfsense cause fuck 5 failed attempts
thanks future me
You can use pfblocker to do geoblocking, it's not fool proof especially if you use the free lists, but you'll block most of china like that. But a better solution to blocking brute force attacks would be to run fail2ban on the ssh server which will block the IP of a certain number of failed attempts for a certain period.
Just throwing it out there, but with the introduction of easily accessible cloud computing services geoblocking has been rendered mostly obsolete. If you're going to do geoblocking that's fine, but I also would recommend ignoring websites or IPs that are uncategorized.
It's more than likely you're not being brute forced but rather being scanned. Sweeping scans come from china all the time.
Yeah, watching pfblocker logs can make one paranoid with the number of hourly scans of my firewall. Its difficult if not impossible to know which I should be really worried about.
Well as long as you don't have stuff opened up everywhere you'll be fine. Also create a rule as rule 2 that denies all traffic to your firewall from the internet. That'll secure your device a bit further.
fail2ban, that would be what im looking to do, i was setting up pfblocker but i want the ones that inevitably slip past it also.
thanks Kane
Fail2ban works well i use it, it also works with firewalld among other things which is nice if your running centos/rhel/fedora etc.
ill need to try out pfblocker and see what it does. interesting addon.
Fact is though your nothing special, if you hook a computer to the internet your going to get spammed by bots trying to get in.
china is just one place. Im currently getting hit by a bunch of linode vps'
Easier with ssh is to block everything and only whitelist those devices that are authorized.
Sometimes i ssh from my phone data so I'll have to find it's possible range to do so I guess
IMO the best way to keep script kiddies / automated scanners from find your ssh server is by changing the default port SSH is listening on
i agree but i dont want to specify that different port on any new device