To block FTP bruteforce attacks using the PF firewall on a BSD system, you can create a rule that limits the number of FTP connections from a single IP address within a certain period of time. Here’s an example rule that blocks FTP bruteforce attacks:
pass in on $ext_if proto tcp from any to $ftp_server port ftp flags S/SA \
keep state (max-src-conn 10, max-src-conn-rate 5/10, overload <ftp-bruteforce> flush)
block in quick from <ftp-bruteforce>
Here’s how the rule works:
- The
passrule allows incoming TCP connections to the FTP server on the FTP port (port ftp) from any source IP address (from any) that have the SYN and ACK flags set (flags S/SA). - The
keep stateoption maintains state information for the connection and limits the number of connections from a single source IP address within a certain period of time. Themax-src-conn 10option limits the maximum number of connections from a single source IP address to 10, and themax-src-conn-rate 5/10option limits the rate of new connections to 5 per 10 seconds. - The
overload <ftp-bruteforce>option sets a timeout for the connections that exceed the limits, and assigns them to the “ftp-bruteforce” table. - The
flushoption removes the entries from the “ftp-bruteforce” table when the timeout expires. - The
blockrule blocks incoming traffic from the “ftp-bruteforce” table.
You can customize the values of the max-src-conn and max-src-conn-rate options to suit your needs. You can also use a different table name if you prefer. Make sure to reload the PF firewall after modifying the rules by running the command pfctl -f /etc/pf.conf.