On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: > Right now someone is trying out each IP address I have > with an ssh attack. Only one of those IP addresses is > enabled for ssh. I have a "(max-src-conn-rate 100/10, > overload <bad_guys> flush global)" on that address. > > I would like to know how to get pf to note these > other atempts and block the sender. To me the obvious > would be > > block in on Outsize proto tcp port ssh flags S/SA > state (max-src-conn-rate 100/10, overload <bad_hosts> flush global) > > This does not work. One gets a message that keeping state on > a blocked run makes no sense. > >
This topic comes up in regular intervals of 6 month on every *nix mailinglist i'm on. It will result in everybody screaming for some scripts that analyze log files and block ips, do firewall-tricks, port changes and whatnot. It's stupid (sorry, but it is): - Attacks are automated. - Stupid user/password combinations. - From zombie host. Countermeassures: - Block the evil guys (here is the big thread about how to do it, and most people successful DOS themselves or even create security holes) After the scriptkiddies have stoped ROTFL: - Use their botnet with 10k hosts from all over the world. - Connect only 3 times per bot to one ip. Gained "security" = 0% Leave it just as it is. You don't have anything to fear anything if you use decent passwords. Otherwise don't offer a ssh service! Remember, there is a chance to hit _the_ password with the first try... Things that really improve security: - use keyfiles, disable password auth - good passwords (here size matters, men :p) - whitelist know "safe" networks I just had to write this down, because it really annoys me :) Please don't take it personally. Have fun, i'm going to sleep a bit now... Tobias
