how do i add delay between ssh new connection, ipfw expert

Question

Level 1

5 points

how do i add delay between ssh new connection, ipfw expert

I'm trying to find a way to add a delay between new ssh connection to the mac using ipfw. Basically I want to duplicate the following linux iptables command:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 25 -j DROP

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --set -j ACCEPT

The effect is that the ip address that connect via ssh on the compute cannot open a new ssh connection for the next 25 seconds. it helps stop usename/password search via ssh without the complexity of creating an evolving black list.

Posted on Jan 21, 2013 2:54 PM

Reply

Answer 1

Jan 22, 2013 7:56 AM in response to mtlgeek

AFAIK, ipfw doesn't have dynamic rules. Alternatives: some sort of an add-on filter (and I haven't tried that one on OS X!) or fail2ban. Move the ssh port somewhere weird, an approach which will confound many of the gremlins. Maybe port knocking. Or move to a VPN. Delaying the ssh connections won't help against a distributed ssh brute-force attack, either. There's a reasonable general (non-OS X) write-up here. Personally, I find a gateway-based VPN server is usually easier to deal with, and it keeps the OS X logs from getting filled with noise.

Reply

Answer 2

g_wolfman

Level 4

1,137 points

Jan 22, 2013 1:02 PM in response to mtlgeek

ipfw has been deprecated in OS X in favour of pf, which does support dynamic rules and throttling. Unfortuantely, I don't work with it, so I can't actually help you with the syntax, but I do know that what you want should be possible.

However, I do also feel obliged to point out that the majority of "best practice" guides I'm aware of would all suggest using a tool like fail2ban or DenyHosts, as MrHoffman has already mentioned.

Reply