On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote: > Nobody? Sad, it's still doing it. > > > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: > > I've set up a max-src-conn-rate rule on my gateway router to > > mitigate brute-force ssh attacks. This router protects a /28 > > subnet, 25.108.82.80/28. > > > > The relevant rules: > > > > # pfctl -sr | grep attack > > block drop in log quick proto tcp from <sshd_attackers> to any > > pass in log proto tcp from any to any port = ssh keep state > > (source-track rule, max-src-conn-rate 3/30, overload > > <sshd_attackers> flush global, src.track 30) > > # > > > > What the three columns of output in the below tcpdump output are: > > timestamp, rule action, and target host. As you can tell from > > the tcpdump command, the sending host is the same in all cases, > > 208.53.147.204
I'm not a pf newbie by any means, but I'm not really qualified to answer questions about it either. That said, I don't usually use an '=' sign in my pf rules, and the pf faq doesn't list that as one of the accepted operators for the port range (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being parsed correctly, it would cause the behavior you're seeing. Try, block in log quick proto tcp port ssh keep state \ (source-track rule, max-src-conn-rate 3 / 30 overload <sshd_attackers>, src.track 30) Note that I wouldn't use a flush global directive for a rule like this, because it can lead to a neat DoS where somebody can spoof one of your own IP addresses and shut down any ssh sessions you have active. Here's a working sample from my own currently active pf file: pass in on $ext proto tcp to <server6> port smtp keep state \ (max-src-conn 15 max-src-conn-rate 10 / 45 overload <smtp-overload>) \ queue 6smtp (FYI, the smtp-overload table moves traffic to a queue that simply throttles the connections a little.) - R.
