Date: Tue, 17 Nov 2009 13:02:05 +0200 From: "Sergey V. Dyatko" <sergey.dyatko@gmail.com> To: freebsd-pf@FreeBSD.org Subject: Re: pf and max-src-conn-rate Message-ID: <20091117130205.2e3a5500@notebook> In-Reply-To: <20091117124804.08d70a8e@notebook> References: <20091117124804.08d70a8e@notebook>
next in thread | previous in thread | raw e-mail | index | archive | help
on Tue, 17 Nov 2009 12:48:04 +0200 "Sergey V. Dyatko" <Sergey.Dyatko@gmail.com> wrote: Ooops, sorry for the noice. I didn't seen that is only 1 connect SVD> Hi list, SVD> I'm trying to stop ssh bruteforce on my box (rules bellow), but it SVD> doesn't work. looks like 1sec interval is too small:( SVD> SVD> from auth.log: SVD> ... SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Invalid user cobert from SVD> 200.27.164.214 SVD> Nov 17 13:32:14 master-db6 sshd[3902]: error: PAM: authentication SVD> error for illegal user cobert from server.aconex.cl SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Failed SVD> keyboard-interactive/pam for invalid user cobert from SVD> 200.27.164.214 port 57587 ssh2 ... SVD> Nov 17 13:40:17 master-db6 sshd[3961]: error: PAM: authentication SVD> error for illegal user colman from 80.243.172.54 SVD> Nov 17 13:40:17 master-db6 sshd[3961]: Failed SVD> keyboard-interactive/pam for invalid user colman from SVD> 80.243.172.54 port 45081 ssh2 ... SVD> SVD> As you can see I got 2 connections from 1 ip in 1 second but... SVD> SVD> #pfctl -tbots -Tshow|wc -l SVD> 0 SVD> SVD> where i'm wrong? SVD> pf.conf: SVD> SVD> ext_if="em0" SVD> SVD> table <trusted_hosts> { my_net/24, some_ip/32} SVD> table <bots> persist SVD> SVD> scrub in all SVD> SVD> pass in quick on $ext_if proto tcp from <trusted_hosts> SVD> block in quick from <bots> SVD> SVD> pass in quick on $ext_if proto tcp to $ext_if port ssh \ SVD> flags S/SA keep state \ SVD> ( max-src-conn-rate 2/1 overload <bots> flush ) SVD> SVD> pass in all SVD> pass out all SVD> SVD> -- wbr, tiger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091117130205.2e3a5500>