i have a ssh served by a ubuntu behind a pfsense, i would like to block "CHINA" from ssh-ing and or any other 5th failure to auth. seeing as 3 attempts would be a refused connection thus kick backed to local pc
root is not ssh able but still they try
im drunk but see china being an ass to my stuff how do i stop and add to a block list after 5th failure on the server itself or pfsense cause fuck 5 failed attempts
You can use pfblocker to do geoblocking, it's not fool proof especially if you use the free lists, but you'll block most of china like that. But a better solution to blocking brute force attacks would be to run fail2ban on the ssh server which will block the IP of a certain number of failed attempts for a certain period.
Just throwing it out there, but with the introduction of easily accessible cloud computing services geoblocking has been rendered mostly obsolete. If you're going to do geoblocking that's fine, but I also would recommend ignoring websites or IPs that are uncategorized.
It's more than likely you're not being brute forced but rather being scanned. Sweeping scans come from china all the time.
Yeah, watching pfblocker logs can make one paranoid with the number of hourly scans of my firewall. Its difficult if not impossible to know which I should be really worried about.
Well as long as you don't have stuff opened up everywhere you'll be fine. Also create a rule as rule 2 that denies all traffic to your firewall from the internet. That'll secure your device a bit further.