On 22/03/2007, at 1:50 AM, Eygene Ryabinkin wrote:
You can use the following rule that will put very fast SSH connectors
to the pf table ssh_scans:
-----
pass in quick on $iface proto tcp from any to $ip port 22 flags S/
AUSPF \
keep state (max-src-conn 4, max-src-conn-rate 6/1, overload
<ssh_scans> flush)
-----
Interesting, I really must get off my ass and look closely at pf.
I use the Simple Event Correlater (sec, in ports) to parse the auth
logfile and add ipfw rules blocking the originating site once it sees
3 authentication failures of any kind from a single address. One of
the sec rules looks like this;
-----------------------
type=SingleWithThreshold
ptype=RegExp
pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2
desc=SSH attack from $2
action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed
password for $1 from $2' /usr/bin/ma
il -s 'SSH Attack from $2' [EMAIL PROTECTED]
window=60
thresh=3
-----------------------
ipfwadd.sh is just
/sbin/ipfw add 25 deny log tcp from $1 to any in via tun0
-----------------------
I also have a rule that emails me whenever someone successfully logs
into the system.
It's not foolproof, but it helps.
Carl.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
