Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Nov 2009 13:02:05 +0200
From:      "Sergey V. Dyatko" <sergey.dyatko@gmail.com>
To:        freebsd-pf@FreeBSD.org
Subject:   Re: pf and max-src-conn-rate
Message-ID:  <20091117130205.2e3a5500@notebook>
In-Reply-To: <20091117124804.08d70a8e@notebook>
References:  <20091117124804.08d70a8e@notebook>
next in thread | previous in thread | raw e-mail | index | archive | help 
on Tue, 17 Nov 2009 12:48:04 +0200
"Sergey V. Dyatko" <Sergey.Dyatko@gmail.com> wrote:

Ooops, sorry for the noice. I didn't seen that is only 1 connect

SVD> Hi list, 
SVD> I'm trying to stop ssh bruteforce on my box (rules bellow), but it
SVD> doesn't work. looks like 1sec interval is too small:(
SVD> 
SVD> from auth.log:
SVD> ...
SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Invalid user cobert from
SVD> 200.27.164.214
SVD> Nov 17 13:32:14 master-db6 sshd[3902]: error: PAM: authentication
SVD> error for illegal user cobert from server.aconex.cl
SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Failed
SVD> keyboard-interactive/pam for invalid user cobert from
SVD> 200.27.164.214 port 57587 ssh2 ...
SVD> Nov 17 13:40:17 master-db6 sshd[3961]: error: PAM: authentication
SVD> error for illegal user colman from 80.243.172.54
SVD> Nov 17 13:40:17 master-db6 sshd[3961]: Failed
SVD> keyboard-interactive/pam for invalid user colman from
SVD> 80.243.172.54 port 45081 ssh2 ...
SVD> 
SVD> As you can see I got 2 connections from 1 ip in 1 second but...
SVD> 
SVD> #pfctl -tbots -Tshow|wc -l
SVD> 0
SVD> 
SVD> where i'm wrong?
SVD> pf.conf:
SVD> 
SVD> ext_if="em0"
SVD> 
SVD> table <trusted_hosts> { my_net/24, some_ip/32}
SVD> table <bots> persist
SVD> 
SVD> scrub in all
SVD> 
SVD> pass in quick on $ext_if proto tcp from <trusted_hosts> 
SVD> block in quick from <bots>
SVD> 
SVD> pass in quick on $ext_if proto tcp to $ext_if port ssh \
SVD>                flags S/SA keep state \
SVD>         ( max-src-conn-rate 2/1 overload <bots> flush )
SVD> 
SVD> pass in all
SVD> pass out all
SVD> 
SVD> 


--
wbr, tiger

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091117130205.2e3a5500>