View Single Post
  #1   (View Single Post)  
Old 25th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default Brute force attacks

I have a question regarding brute force attacks on PC's behind my OpenBSD firewall but after thinking about I think I've answered my own question. But I'll ask just to verify.

My question was this:
Can brute force VNC attacks be handled like SSH? I have an OpenBSD firewall with port forwarding to two Windows boxes. I'm the only one who should ever be connecting to these systems from where ever in the world I happen to be so what I would like to do is give myself two attempts to connect, just in case caps lock is on or a typo on the first attempt. If the second attempt fails then it should completely ignore/block any more attempts for the next five minutes or however long I wish for it wait then allow me to try again after that amount of time has elapsed. Is this possible?

Answer to my own question:
No this isn't possible because the OpenBSD firewall is simply forwarding the connection to the appropriate PC behind the firewall and it is therefore the responsibility of the Windows PC accepting the connection to enforce such a rule set.

Did I ask and answer my own question correctly? Below is a copy of my pf.conf file in case it has any relevance.

#######################
# pf.conf
# macros
int_if="xl0"
ext_if="xl1"
whs="192.168.0.50"
pc1="192.168.0.20"
pc2="192.168.0.21"

# options
set block-policy drop
set loginterface $ext_if
set skip on lo

# match rules
match in all scrub (no-df)
match out on egress inet from !(egress) to any nat-to (egress:0)

# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state
pass in on egress inet proto tcp to (egress) port 5900 rdr-to $pc1 synproxy state
pass in on egress inet proto tcp to (egress) port 5901 rdr-to $pc2 synproxy state
pass in log on $int_if
#######################
Reply With Quote