Date: Tue, 8 Feb 2011 19:51:42 -0500 From: Vadym Chepkov <vchepkov@gmail.com> To: Luke Jee <lukejee@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks Message-ID: <AC4D4903-F788-485C-B73E-7E947F1BC997@gmail.com> In-Reply-To: <AANLkTiniSyhSMwMwkKaw_74PLC1TOgcArWmLp=9XF_Zy@mail.gmail.com> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <AANLkTiniSyhSMwMwkKaw_74PLC1TOgcArWmLp=9XF_Zy@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 8, 2011, at 7:47 PM, Luke Jee wrote:
> Hi Vadyam,
>=20
> try this:
> table <abusive_hosts>
>=20
> remove persist, i remember it means table will readonly
That contradicts the manual:
Tables may be defined with the following two attributes:
persist The persist flag forces the kernel to keep the table even =
when
no rules refer to it. If the flag is not set, the kernel =
will
automatically remove the table when the last rule =
referring to
it is flushed.
const The const flag prevents the user from altering the =
contents of
the table once it has been created. Without that flag, =
pfctl(8)
can be used to add or remove addresses from the table at =
any
time, even when running with securelevel(7) =3D 2.
For example,
table <private> const { 10/8, 172.16/12, 192.168/16 }
table <badhosts> persist
block on fxp0 from { <private>, <badhosts> } to any
>=20
> On Wed, Feb 9, 2011 at 2:11 AM, Vadym Chepkov <vchepkov@gmail.com> =
wrote:
> Hi,
>=20
> Could somebody help in figuring out why PF configuration meant to =
prevent brutal SSH attacks doesn't work.
>=20
> Here are the relevant parts:
>=20
> /etc/ssh/sshd_config
>=20
> PasswordAuthentication no
> MaxAuthTries 1
>=20
> /etc/pf.conf
>=20
> block in log on $wan_if
>=20
> table <abusive_hosts> persist
> block drop in quick from <abusive_hosts>
>=20
> pass quick proto tcp to $wan_if port ssh keep state \
> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> =
flush global)
>=20
> I would expect if somebody tried to make more then 9 connections a =
minute would have been blocked.
>=20
> But it's not the case:
>=20
> Feb 7 19:20:03 castor sshd[21416]: Invalid user peyton from =
113.185.0.16
> Feb 7 19:20:06 castor sshd[21418]: Invalid user lindsey from =
113.185.0.16
> Feb 7 19:20:10 castor sshd[21420]: Invalid user ashlyn from =
113.185.0.16
> Feb 7 19:20:13 castor sshd[21422]: Invalid user carly from =
113.185.0.16
> Feb 7 19:20:17 castor sshd[21424]: Invalid user marissa from =
113.185.0.16
> Feb 7 19:20:20 castor sshd[21426]: Invalid user gracie from =
113.185.0.16
> Feb 7 19:20:24 castor sshd[21428]: Invalid user sierra from =
113.185.0.16
> Feb 7 19:20:27 castor sshd[21430]: Invalid user lillian from =
113.185.0.16
> Feb 7 19:20:31 castor sshd[21432]: Invalid user jillian from =
113.185.0.16
> Feb 7 19:20:34 castor sshd[21434]: Invalid user reagan from =
113.185.0.16
> Feb 7 19:20:37 castor sshd[21436]: Invalid user shelby from =
113.185.0.16
> Feb 7 19:20:41 castor sshd[21438]: Invalid user amelia from =
113.185.0.16
> Feb 7 19:20:44 castor sshd[21442]: Invalid user jada from =
113.185.0.16
> Feb 7 19:20:48 castor sshd[21444]: Invalid user kendall from =
113.185.0.16
> Feb 7 19:20:51 castor sshd[21446]: Invalid user courtney from =
113.185.0.16
> Feb 7 19:20:54 castor sshd[21448]: Invalid user brooklyn from =
113.185.0.16
> Feb 7 19:20:58 castor sshd[21450]: Invalid user autumn from =
113.185.0.16
> Feb 7 19:21:01 castor sshd[21452]: Invalid user mary from =
113.185.0.16
>=20
> What did I miss?
>=20
> Thank you,
> Vadym
>=20
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>=20
>=20
>=20
> --=20
> Luke Jee
> CEO
> Prevantage Corporation
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AC4D4903-F788-485C-B73E-7E947F1BC997>