Date: Fri, 5 Mar 2010 11:10:03 -0600 From: John <john@starfire.mn.org> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: Matthias Fechner <idefix@fechner.net>, freebsd-questions@freebsd.org Subject: Re: Thousands of ssh probes Message-ID: <20100305171003.GA18881@elwood.starfire.mn.org> In-Reply-To: <4B913983.30900@infracaninophile.co.uk> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <F4960422-5F59-4FF4-A2E4-1F0A4772B78B@olivent.com> <20100305154439.GA17456@elwood.starfire.mn.org> <4B912ADC.1040802@infracaninophile.co.uk> <4B91375A.4020503@fechner.net> <4B913983.30900@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 05, 2010 at 05:04:03PM +0000, Matthew Seaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/03/2010 16:54:50, Matthias Fechner wrote:
> > Hi,
> >
> > Am 05.03.10 17:01, schrieb Matthew Seaman:
> >> table <ssh-bruteforce> persist
> >> [...near the top of the rules section...]
> >> block drop in log quick on $ext_if from<ssh-bruteforce>
> >>
> >> [...later in the rules section...]
> >> pass in on $ext_if proto tcp \
> >> from any to $ext_if port ssh \
> >> flags S/SA keep state \
> >> (max-src-conn-rate 3/30, overload<ssh-bruteforce> flush global)
> >>
> >
> > that is dangarous, if you use subversion over ssh you will sometimes get
> > more then 10 requests in 30 seconds.
> > That means you will also block users they are allowed to connect.
>
> Yes. Almost all of the time I use this I've also had a ssh-whitelist
> table -- addresses that will never be blocked in this way. Like this:
>
> table <ssh-bruteforce> persist
> table <ssh-whitelist> const { \
> 81.187.76.160/29 \
> 2001:8b0:151:1::/64 \
> } persist
>
> block drop in log quick on $ext_if from <ssh-bruteforce>
>
> pass in on $ext_if proto tcp \
> from <ssh-whitelist> to $ext_if port ssh \
> flags S/SA keep state
>
> pass in on $ext_if proto tcp \
> from !<ssh-whitelist> to $ext_if port ssh \
> flags S/SA keep state \
> (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
>
Ah. I see. That's clever. Rather than "overriding" the bruteforce
list, which would require getting rid of "quick", you use whitelist
to prevent things from ever going into the bruteforce table.
Nice!
I have just switched to pf from ipfw, so I am still learning the
nuances and style points.
--
John Lind
john@starfire.MN.ORG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100305171003.GA18881>