Re: brutal SSH attacks

Luke Jee Tue, 08 Feb 2011 17:18:58 -0800

Hi Vadyam,

try this:
table <abusive_hosts>


remove persist, i remember it means table will readonly

On Wed, Feb 9, 2011 at 2:11 AM, Vadym Chepkov <vchep...@gmail.com> wrote:

> Hi,
>
> Could somebody help in figuring out why PF configuration meant to prevent
> brutal SSH attacks doesn't work.
>
> Here are the relevant parts:
>
> /etc/ssh/sshd_config
>
> PasswordAuthentication no
> MaxAuthTries 1
>
> /etc/pf.conf
>
> block in log on $wan_if
>
> table <abusive_hosts> persist
> block drop in quick from <abusive_hosts>
>
> pass quick proto tcp to $wan_if port ssh keep state \
> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush
> global)
>
> I would expect if somebody tried to make more then 9 connections a minute
> would have been blocked.
>
> But it's not the case:
>
> Feb  7 19:20:03 castor sshd[21416]: Invalid user peyton from 113.185.0.16
> Feb  7 19:20:06 castor sshd[21418]: Invalid user lindsey from 113.185.0.16
> Feb  7 19:20:10 castor sshd[21420]: Invalid user ashlyn from 113.185.0.16
> Feb  7 19:20:13 castor sshd[21422]: Invalid user carly from 113.185.0.16
> Feb  7 19:20:17 castor sshd[21424]: Invalid user marissa from 113.185.0.16
> Feb  7 19:20:20 castor sshd[21426]: Invalid user gracie from 113.185.0.16
> Feb  7 19:20:24 castor sshd[21428]: Invalid user sierra from 113.185.0.16
> Feb  7 19:20:27 castor sshd[21430]: Invalid user lillian from 113.185.0.16
> Feb  7 19:20:31 castor sshd[21432]: Invalid user jillian from 113.185.0.16
> Feb  7 19:20:34 castor sshd[21434]: Invalid user reagan from 113.185.0.16
> Feb  7 19:20:37 castor sshd[21436]: Invalid user shelby from 113.185.0.16
> Feb  7 19:20:41 castor sshd[21438]: Invalid user amelia from 113.185.0.16
> Feb  7 19:20:44 castor sshd[21442]: Invalid user jada from 113.185.0.16
> Feb  7 19:20:48 castor sshd[21444]: Invalid user kendall from 113.185.0.16
> Feb  7 19:20:51 castor sshd[21446]: Invalid user courtney from 113.185.0.16
> Feb  7 19:20:54 castor sshd[21448]: Invalid user brooklyn from 113.185.0.16
> Feb  7 19:20:58 castor sshd[21450]: Invalid user autumn from 113.185.0.16
> Feb  7 19:21:01 castor sshd[21452]: Invalid user mary from 113.185.0.16
>
> What did I miss?
>
> Thank you,
> Vadym
>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
>



-- 
Luke Jee
CEO
Prevantage Corporation
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Re: brutal SSH attacks

Reply via email to