How to setup a anti-bruteforce pam_af module with FreeBSD
- Install the pam_af port
pkg_add -r pam_af
- Setup a basic firewall
ipfw add 100 deny tcp from table\(1\) to me setup
ipfw add 65534 allow ip from any to any
(remember to setup this in rc.conf with a basic firewall script)
- Configure pam services by adding pam_af in /etc/pam.d/{sshd/ftp/ftpd} :
.
auth requisite /usr/local/lib/pam_af.so
..
- configure pam_af Trust your networks
pam_af_tool ruleadd -h 'XXX.XXX.XXX.0/22' -a unlimited -t 0
- and ban the others
pam_af_tool ruleadd -h '*' -a 5 -t 15M -l '/sbin/ipfw table 1 add $PAM_RHOST' -u '/sbin/ipfw table 1 delete $PAM_RHOST'
- Check your rules
pam_af_tool rulelist
- Check your firewall
ipfw table \1 list
Aucun commentaire:
Enregistrer un commentaire