From owner-freebsd-security@FreeBSD.ORG Fri Mar 23 05:18:19 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8587716A400 for ; Fri, 23 Mar 2007 05:18:19 +0000 (UTC) (envelope-from info@plot.uz) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id D16DE13C4EF for ; Fri, 23 Mar 2007 05:18:18 +0000 (UTC) (envelope-from info@plot.uz) Received: by ug-out-1314.google.com with SMTP id 71so909012ugh for ; Thu, 22 Mar 2007 22:18:17 -0700 (PDT) Received: by 10.67.40.12 with SMTP id s12mr6114495ugj.1174627097535; Thu, 22 Mar 2007 22:18:17 -0700 (PDT) Received: from plot.uz ( [83.221.183.192]) by mx.google.com with ESMTP id m1sm4082506uge.2007.03.22.22.18.06; Thu, 22 Mar 2007 22:18:17 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham version=3.1.7 X-Spam-Report: Received: from localhost by plot.uz (MDaemon PRO v9.5.5) with DomainPOP id md50000000871.msg for ; Fri, 23 Mar 2007 10:16:51 +0500 Delivered-To: info@plot.uz Received: by 10.100.94.19 with SMTP id r19cs769202anb; Thu, 22 Mar 2007 07:47:13 -0700 (PDT) Received: by 10.65.121.9 with SMTP id y9mr4375770qbm.1174574833745; Thu, 22 Mar 2007 07:47:13 -0700 (PDT) Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by mx.google.com with ESMTP id a24si8842074nfc.2007.03.22.07.47.11; Thu, 22 Mar 2007 07:47:13 -0700 (PDT) Received-SPF: pass (google.com: domain of rea-fbsd@codelabs.ru designates 144.206.177.45 as permitted sender) DomainKey-Status: good DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=TLjeGb1DN7pMGuaU2J94KfXJdOrY7Vz1sfCuK+t5AEQG2mh39PCb1x0Pwvcdwe6xxSNVghm/jvgOlwmq/1Qii3/JwjUmuwBassno2klrF0WKyHlHlSsCjd6WXVoyLOp9ya72O8JKfYnbN1MHR0H1czc2PjTFV2Pw4tcJM/aiuzk=; Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45]) by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1HUOZH-0006EW-M3; Thu, 22 Mar 2007 17:47:08 +0300 Date: Thu, 22 Mar 2007 17:47:02 +0300 To: Volker Message-ID: <20070322144702.GN14837@codelabs.ru> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> <20070321103006.c57729cc.wmoran@collaborativefusion.com> <20070321145041.GG14837@codelabs.ru> <46027EEE.1080105@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <46027EEE.1080105@vwsoft.com> X-Return-Path: rea-fbsd@codelabs.ru X-Envelope-From: rea-fbsd@codelabs.ru X-MDaemon-Deliver-To: freebsd-security@freebsd.org X-Spam-Processed: plot.uz, Fri, 23 Mar 2007 10:16:53 +0500 From: Eygene Ryabinkin X-Mailman-Approved-At: Fri, 23 Mar 2007 11:36:30 +0000 Cc: freebsd-security@freebsd.org, "W. D." , Bill Moran Subject: Re: Re: Reality check: IPFW sees SSH traffic that sshd does not? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2007 05:18:19 -0000 Good day! Thu, Mar 22, 2007 at 02:04:46PM +0100, Volker wrote: > > You can use the following rule that will put very fast SSH connectors > > to the pf table ssh_scans: > > ----- > > pass in quick on $iface proto tcp from any to $ip port 22 flags S/AUSPF \ > > keep state (max-src-conn 4, max-src-conn-rate 6/1, overload flush) > > ----- > > If you replace the "flush" keyword by "flush global" would give > better results as it immediately will kill all additional > connections with that host (IP address). Without the "global" > keyword just the ssh connection causing the rule overload is being > killed. > > Also a max-src-conn-rate of 6/1 (6 connections in 1 second) is IMO a > bit too friendly to those brute force script kiddies but YMMV. I happen to make some rapid scp's that are doing about 5 or 6 connections in a minute from the ligitimate hosts, so sometimes even the ligitimate hosts are getting blocked. And if that host has another session to the server I do not like it to be dropped, since then the session will be lost and I will not be able to drop the ligitimate host from the ssh_scans manually. Whitelisting will help, but I have no persistent list of the machines I can come from. But your mileage may vary. By the way, the 6/1 rule is very good when you're firewalling the large number of clients: massive SSH scans are often hitting the full netblock, so changing the '$ip' to '' above you will get very good throttling for the entire network you're protecting. > While doing nearly the same as you did in your pf rules, I also let > a cron job run every 10 minutes and scan the auth log for login > errors. If a threshold value is being reached, the IP address gets > inserted into a pf table and gets blocked (forever). This is just a > second line of defense. Yeah, this is also helpful. But my setup currently gives me about 4 probes from the SSH scanners and then that host gets blocked. And the blocking for a long time (ot forever) can be not so good on the busy public login servers -- machine can just be hacked, but rapidly reinstalled and patched. Again, your mileage may vary. -- Eygene