On Wed, Aug 08, 2007 at 10:26:11AM -0700, David Newman wrote:
> On 6/27/07 10:39 PM, Daniel Ouellet wrote:
> > Put quickly as an example, but [to block SSH scans] you can try:
> >
> > # Define some variable for clarity
> > SSH_LIMIT="(max-src-conn-rate 3/30, overload <scanners> flush global)"
> >
> > ## SSH Hackers - blocked IPs
> > table <scanners> persist file "/etc/tables/scanners"
> >
> > # Block ssh access to bad ssh scanner
> > block drop in log quick on $ext_if inet proto tcp \
> > from <scanners> to any port ssh
> >
> > # Allow quick valid traffic to ssh but log all attempts as well
> > pass in log quick on $ext_if inet proto tcp from ! <scanners> \
> > to $ext_if port ssh flags S/SA keep state \
> > $SSH_LIMIT
>
> I've added something like this to pf.conf but it's only partially
> successful. I would appreciate any clues as to why it's not blocking all
> brute-force attempts.
You would probably be better served by a clue about why this is a
terribly bad idea, but you'll most likely have heard all the arguments
already. Or maybe not - 'flush' enables an attacker to not only prevent
you connecting, but actually to log you out as well. (And 'global' just
makes no sense, given your ruleset.)
Plus, SSH scans are about as dangerous as some skiddie scanning for old
versions of PHPMyAdmin, and we don't take steps to prevent the latter
either.
Finally, Subversion over SSH uses lots of connections, should you ever
want to use that.
> On an OBSD 4.1 box, here's what I added to pf.conf ($unpro is the
> Internet-facing interface):
>
> #####
>
> # Define limit of ssh connection rates
> SSH_LIMIT="(max-src-conn-rate 3/30, overload <scanners> flush global)"
> # SSH scanners - blocked IPs
> table <scanners> persist
>
> block drop in log quick on $unpro inet proto tcp \
> from <scanners> to any port ssh
>
>
> # Allow quick valid traffic to ssh but log all attempts as well
> pass in log quick on $unpro inet proto tcp from ! <scanners> \
> to $unpro port ssh $SSH_LIMIT
Skip '! <scanners>' unless it's intended as documentation; you have
already filtered this traffic in the rule above.
It's not surprising that this rule fails to limit ssh connections to
another host; that's what 'to $unpro' tells pf to do, after all. If you
do remove 'to $unpro', you might want to add something like 'from !
$unpro:network'. (Do note that 'from ! { $unpro:network <scanners> }' is
legal syntax, but not sensible.)
> #####
>
> And it appears to be working, at least in part:
>
> [EMAIL PROTECTED] ~ 501$ sudo pfctl -t scanners -T show
<5 IP addresses>
>
> #####
>
> But some hosts on the protected side of the firewall still report
> brute-force ssh login attempts exceeding the 3/30 rate:
>
> Aug 7 10:16:00 mail sshd[21608]: Invalid user trash from 201.18.81.8
<23 more login attempts>
>
> Thanks in advance for suggestions as to how to reduce these kind of
> login attempts.
Don't, just use public keys, or if you really must, good passwords.
Joachim
--
TFMotD: ssh-add (1) - adds RSA or DSA identities to the authentication
agent
