2 Replies Latest reply: Jan 22, 2013 1:02 PM by g_wolfman
mtlgeek Level 1 Level 1 (0 points)

I'm trying to find a way to add a delay between new ssh connection to the mac using ipfw. Basically I want to duplicate the following linux iptables command:

 

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 25 -j DROP

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --set -j ACCEPT

 

The effect is that the ip address that connect via ssh on the compute cannot open a new ssh connection for the next 25 seconds. it helps stop usename/password search via ssh without the complexity of creating an evolving black list.

  • MrHoffman Level 6 Level 6 (13,050 points)

    AFAIK, ipfw doesn't have dynamic rules.  Alternatives: some sort of an add-on filter (and I haven't tried that one on OS X!) or fail2ban.  Move the ssh port somewhere weird, an approach which will confound many of the gremlins.  Maybe port knocking.  Or move to a VPN.  Delaying the ssh connections won't help against a distributed ssh brute-force attack, either.  There's a reasonable general (non-OS X) write-up here.  Personally, I find a gateway-based VPN server is usually easier to deal with, and it keeps the OS X logs from getting filled with noise.

  • g_wolfman Level 4 Level 4 (1,120 points)

    ipfw has been deprecated in OS X in favour of pf, which does support dynamic rules and throttling.  Unfortuantely, I don't work with it, so I can't actually help you with the syntax, but I do know that what you want should be possible.

     

    However, I do also feel obliged to point out that the majority of "best practice" guides I'm aware of would all suggest using a tool like fail2ban or DenyHosts, as MrHoffman has already mentioned.