I should have mentioned it. Some IPs do get into abusive_hosts table, but some do not and I don't understand, why, how do they avoid of getting caught.
Vadym On Feb 8, 2011, at 8:07 PM, Vadym Chepkov wrote: > > On Feb 8, 2011, at 7:11 PM, Vadym Chepkov wrote: > >> >> On Feb 8, 2011, at 7:01 PM, Helmut Schneider wrote: >> >>>>> Check your pflog. The ruleset itself seems fine (if it is complete and >>>>> you did not forget to post >>>>> a vital part). We also can assume that pf is enabled, can we? >>>> >>>> What should I be looking for in pflog? I can't find anything ssh related. >>>> I posted full ruleset too. >>> [...] >>>> [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat $log|tcpdump -r >>>> - port ssh ; done >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>> >>> Well... >>> >>>> block drop in quick from <abusive_hosts> to any >>>> pass quick inet proto tcp from any to 38.X.X.X port = ssh flags S/SA keep >>>> state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60, >>>> overload <abusive_hosts> flush global, src.track 60) >>> >>> "block drop in quick log..." and "pass quick inet proto log" might be >>> useful. BTW, what version of FreeBSD are you using? The machine isn't >>> multi-homed, is it? >> >> 8.1-RELEASE-p1, just one external interface. >> >> I will add "log" to "pass ssh", but what would I "block drop in quick" >> though? > > > Here are entries with pass in log enabled: > > 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 > > 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss 1460,sackOK,TS > val 395810874 ecr 0,nop,wscale 7], length 0 > 19:59:09.879718 rule 5/0(match): pass in on bce1: 93.174.31.134.37700 > > 38.X.X.X.22: Flags [S], seq 442612509, win 5840, options [mss 1460,sackOK,TS > val 395812607 ecr 0,nop,wscale 7], length 0 > 19:59:11.585464 rule 5/0(match): pass in on bce1: 93.174.31.134.38063 > > 38.X.X.X.22: Flags [S], seq 452334454, win 5840, options [mss 1460,sackOK,TS > val 395814310 ecr 0,nop,wscale 7], length 0 > 19:59:13.343901 rule 5/0(match): pass in on bce1: 93.174.31.134.38266 > > 38.X.X.X.22: Flags [S], seq 460272696, win 5840, options [mss 1460,sackOK,TS > val 395816072 ecr 0,nop,wscale 7], length 0 > 19:59:15.083747 rule 5/0(match): pass in on bce1: 93.174.31.134.39088 > > 38.X.X.X.22: Flags [S], seq 451620226, win 5840, options [mss 1460,sackOK,TS > val 395817812 ecr 0,nop,wscale 7], length 0 > 19:59:16.825914 rule 5/0(match): pass in on bce1: 93.174.31.134.39441 > > 38.X.X.X.22: Flags [S], seq 449195625, win 5840, options [mss 1460,sackOK,TS > val 395819550 ecr 0,nop,wscale 7], length 0 > 19:59:18.556231 rule 5/0(match): pass in on bce1: 93.174.31.134.39722 > > 38.X.X.X.22: Flags [S], seq 452162408, win 5840, options [mss 1460,sackOK,TS > val 395821284 ecr 0,nop,wscale 7], length 0 > 19:59:20.263343 rule 5/0(match): pass in on bce1: 93.174.31.134.40441 > > 38.X.X.X.22: Flags [S], seq 466289680, win 5840, options [mss 1460,sackOK,TS > val 395822987 ecr 0,nop,wscale 7], length 0 > 19:59:21.996759 rule 5/0(match): pass in on bce1: 93.174.31.134.40812 > > 38.X.X.X.22: Flags [S], seq 466926642, win 5840, options [mss 1460,sackOK,TS > val 395824721 ecr 0,nop,wscale 7], length 0 > 19:59:23.723164 rule 5/0(match): pass in on bce1: 93.174.31.134.41081 > > 38.X.X.X.22: Flags [S], seq 470787551, win 5840, options [mss 1460,sackOK,TS > val 395826451 ecr 0,nop,wscale 7], length 0 > 19:59:25.424186 rule 5/0(match): pass in on bce1: 93.174.31.134.41808 > > 38.X.X.X.22: Flags [S], seq 456764787, win 5840, options [mss 1460,sackOK,TS > val 395828152 ecr 0,nop,wscale 7], length 0 > > > No idea, why it didn't stop after 9 attempts. > > Vadym > > _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
