David,
I would take a look at adding synproxy to your rules before worrying about
max-src-states. Synproxy will allow max-src-conn-rate to work more
reliably.
By default, pf(4) passes packets that are part of a tcp(4) handshake be-
tween the endpoints. The synproxy state option can be used to c
On 10/24/07, Henning Brauer <[EMAIL PROTECTED]> wrote:
> * Rob <[EMAIL PROTECTED]> [2007-10-24 00:05]:
> > Note that I wouldn't use a flush global directive for a rule like
> > this, because it can lead to a neat DoS where somebody can spoof one
> > of your own IP addresses and shut down any ssh se
* Rob <[EMAIL PROTECTED]> [2007-10-24 00:05]:
> I'm not a pf newbie by any means, but I'm not really qualified to
> answer questions about it either. That said, I don't usually use an
> '=' sign in my pf rules, and the pf faq doesn't list that as one of
> the accepted operators for the port range
On Tue, Oct 23, 2007 at 05:46:45PM -0400, Calomel wrote:
> David,
>
> Was the offending client completing the 3-way handshake everytime it
> connected?
>
> For stateful TCP connections, limits on established connections (connec-
> tions which have completed the TCP 3-way handshake) can also be enfo
On Tue, Oct 23, 2007 at 05:59:31PM -0700, Rob wrote:
> On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote:
> > On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote:
> > > Note that I wouldn't use a flush global directive for a rule like
> > > this, because it can lead to a neat DoS where someb
On October 23, 2007 07:30:25 pm david l goodrich wrote:
> On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote:
> > On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote:
> > > Nobody? Sad, it's still doing it.
> > >
> > > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
> > > >
On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote:
> On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote:
> > > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
> > > > I've set up a max-src-conn-rate rule on my gateway router to
> > > > mitigate brute-force ssh attacks. Thi
On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote:
> On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote:
> > Nobody? Sad, it's still doing it.
> >
> >
> > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
> > > I've set up a max-src-conn-rate rule on my gateway router to
> >
On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote:
> Nobody? Sad, it's still doing it.
>
>
> On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
> > I've set up a max-src-conn-rate rule on my gateway router to
> > mitigate brute-force ssh attacks. This router protects a /28
>
David,
Was the offending client completing the 3-way handshake everytime it
connected?
For stateful TCP connections, limits on established connections (connec-
tions which have completed the TCP 3-way handshake) can also be enforced
per source IP. The max-src-conn-rate / limit the rate of
new co
Nobody? Sad, it's still doing it.
On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
> I've set up a max-src-conn-rate rule on my gateway router to
> mitigate brute-force ssh attacks. This router protects a /28
> subnet, 25.108.82.80/28.
>
> The relevant rules:
>
> # pfctl -sr |
I've set up a max-src-conn-rate rule on my gateway router to
mitigate brute-force ssh attacks. This router protects a /28
subnet, 25.108.82.80/28.
The relevant rules:
# pfctl -sr | grep attack
block drop in log quick proto tcp from to any
pass in log proto tcp from any to any port = ssh keep st
12 matches
Mail list logo
