Re: brutal SSH attacks

Wed, 09 Feb 2011 02:00:36 -0800 

Looks like my previous message didn't make it to the list.


@OP: nothing indicates that your table is getting populated correctly.

While this doesn't address your main issue, you may want to install
sshguard which will automatically blacklist attackers and populate a
dedicated table.


On 2/8/11 11:06 PM, Vadym Chepkov wrote:
> 
> On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote:
> 
>> On 2/8/2011 1:11 PM, Vadym Chepkov wrote:
>>> Hi,
>>>
>>> Could somebody help in figuring out why PF configuration meant to prevent 
>>> brutal SSH attacks doesn't work.
>>>
>>> Here are the relevant parts:
>>>
>>> /etc/ssh/sshd_config
>>>
>>> PasswordAuthentication no
>>> MaxAuthTries 1
>>>
>>> /etc/pf.conf
>>>
>>> block in log on $wan_if
>>>
>>> table <abusive_hosts> persist
>>> block drop in quick from <abusive_hosts>
>>>
>>> pass quick proto tcp to $wan_if port ssh keep state \
>>> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush 
>>> global)
>>
>>
>> On RELENG_7 and 8 I use something like that.  Is there a different IP
>> they might be connecting to that is not covered under $wan_if?
>>
> 
> That would mean this rule doesn't work:
> 
> block in log on $wan_if
> 
> 
>>
>>
>> table <bruteforce> persist
>> table <SSHTRUSTED> {xx.yy.zz.aa}
>>
>>
>>
>> block log all
>> block in log quick proto tcp from <bruteforce> to any port 22
>> pass in log quick proto tcp from {!<SSHTRUSTED>} to self port ssh \
>>        flags S/SA keep state \
>>        (max-src-conn 6, max-src-conn-rate 3/30, \
>>        overload <bruteforce> flush global)
>> pass in log inet proto tcp from <SSHTRUSTED> to self port ssh keep state
>>
> 
> I don't have "trusted" outside IPs, other then that your config seems the 
> same, except mine suppose to be more strict - just one IP instead of "self".
> By the way, wouldn't using "self" allow incoming packets to 127.0.0.1?
> 
> Vadym
> 
> 
>>
>>
>>      ---Mike
>>
>>
>> -- 
>> -------------------
>> Mike Tancsa, tel +1 519 651 3400
>> Sentex Communications, m...@sentex.net
>> Providing Internet services since 1994 www.sentex.net
>> Cambridge, Ontario Canada   http://www.tancsa.com/
> 
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to