From owner-freebsd-security@FreeBSD.ORG Thu Mar 22 13:32:19 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C3BC216A404 for ; Thu, 22 Mar 2007 13:32:19 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 84F0613C44B for ; Thu, 22 Mar 2007 13:32:17 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7da7.q.ppp-pool.de [89.53.125.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 6F2AE12883F for ; Thu, 22 Mar 2007 14:04:58 +0100 (CET) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 619562E812; Thu, 22 Mar 2007 14:04:45 +0100 (CET) Message-ID: <46027EEE.1080105@vwsoft.com> Date: Thu, 22 Mar 2007 14:04:46 +0100 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: Eygene Ryabinkin References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> <20070321103006.c57729cc.wmoran@collaborativefusion.com> <20070321145041.GG14837@codelabs.ru> In-Reply-To: <20070321145041.GG14837@codelabs.ru> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-security@freebsd.org, "W. D." , Bill Moran Subject: Re: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2007 13:32:19 -0000 Eugene, On 12/23/-58 20:59, Eygene Ryabinkin wrote: ... >>> Do you care to share that script? >> It's pretty basic, but I will share it. I've been waiting until I'd been >> using it for a while to make sure there weren't any problems. > > You can use the following rule that will put very fast SSH connectors > to the pf table ssh_scans: > ----- > pass in quick on $iface proto tcp from any to $ip port 22 flags S/AUSPF \ > keep state (max-src-conn 4, max-src-conn-rate 6/1, overload flush) > ----- If you replace the "flush" keyword by "flush global" would give better results as it immediately will kill all additional connections with that host (IP address). Without the "global" keyword just the ssh connection causing the rule overload is being killed. Also a max-src-conn-rate of 6/1 (6 connections in 1 second) is IMO a bit too friendly to those brute force script kiddies but YMMV. While doing nearly the same as you did in your pf rules, I also let a cron job run every 10 minutes and scan the auth log for login errors. If a threshold value is being reached, the IP address gets inserted into a pf table and gets blocked (forever). This is just a second line of defense. HTH, Volker