Date: Thu, 22 Mar 2007 14:04:46 +0100 From: Volker <volker@vwsoft.com> To: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Cc: freebsd-security@freebsd.org, "W. D." <WD@US-Webmasters.com>, Bill Moran <wmoran@collaborativefusion.com> Subject: Re: Re: Reality check: IPFW sees SSH traffic that sshd does not? Message-ID: <46027EEE.1080105@vwsoft.com> In-Reply-To: <20070321145041.GG14837@codelabs.ru> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> <20070321103006.c57729cc.wmoran@collaborativefusion.com> <20070321145041.GG14837@codelabs.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Eugene, On 12/23/-58 20:59, Eygene Ryabinkin wrote: ... >>> Do you care to share that script? >> It's pretty basic, but I will share it. I've been waiting until I'd been >> using it for a while to make sure there weren't any problems. > > You can use the following rule that will put very fast SSH connectors > to the pf table ssh_scans: > ----- > pass in quick on $iface proto tcp from any to $ip port 22 flags S/AUSPF \ > keep state (max-src-conn 4, max-src-conn-rate 6/1, overload <ssh_scans> flush) > ----- If you replace the "flush" keyword by "flush global" would give better results as it immediately will kill all additional connections with that host (IP address). Without the "global" keyword just the ssh connection causing the rule overload is being killed. Also a max-src-conn-rate of 6/1 (6 connections in 1 second) is IMO a bit too friendly to those brute force script kiddies but YMMV. While doing nearly the same as you did in your pf rules, I also let a cron job run every 10 minutes and scan the auth log for login errors. If a threshold value is being reached, the IP address gets inserted into a pf table and gets blocked (forever). This is just a second line of defense. HTH, Volker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46027EEE.1080105>