Date: Tue, 8 Feb 2011 19:51:42 -0500 From: Vadym Chepkov <vchepkov@gmail.com> To: Luke Jee <lukejee@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks Message-ID: <AC4D4903-F788-485C-B73E-7E947F1BC997@gmail.com> In-Reply-To: <AANLkTiniSyhSMwMwkKaw_74PLC1TOgcArWmLp=9XF_Zy@mail.gmail.com> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <AANLkTiniSyhSMwMwkKaw_74PLC1TOgcArWmLp=9XF_Zy@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 8, 2011, at 7:47 PM, Luke Jee wrote: > Hi Vadyam, >=20 > try this: > table <abusive_hosts> >=20 > remove persist, i remember it means table will readonly That contradicts the manual: Tables may be defined with the following two attributes: persist The persist flag forces the kernel to keep the table even = when no rules refer to it. If the flag is not set, the kernel = will automatically remove the table when the last rule = referring to it is flushed. const The const flag prevents the user from altering the = contents of the table once it has been created. Without that flag, = pfctl(8) can be used to add or remove addresses from the table at = any time, even when running with securelevel(7) =3D 2. For example, table <private> const { 10/8, 172.16/12, 192.168/16 } table <badhosts> persist block on fxp0 from { <private>, <badhosts> } to any >=20 > On Wed, Feb 9, 2011 at 2:11 AM, Vadym Chepkov <vchepkov@gmail.com> = wrote: > Hi, >=20 > Could somebody help in figuring out why PF configuration meant to = prevent brutal SSH attacks doesn't work. >=20 > Here are the relevant parts: >=20 > /etc/ssh/sshd_config >=20 > PasswordAuthentication no > MaxAuthTries 1 >=20 > /etc/pf.conf >=20 > block in log on $wan_if >=20 > table <abusive_hosts> persist > block drop in quick from <abusive_hosts> >=20 > pass quick proto tcp to $wan_if port ssh keep state \ > (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> = flush global) >=20 > I would expect if somebody tried to make more then 9 connections a = minute would have been blocked. >=20 > But it's not the case: >=20 > Feb 7 19:20:03 castor sshd[21416]: Invalid user peyton from = 113.185.0.16 > Feb 7 19:20:06 castor sshd[21418]: Invalid user lindsey from = 113.185.0.16 > Feb 7 19:20:10 castor sshd[21420]: Invalid user ashlyn from = 113.185.0.16 > Feb 7 19:20:13 castor sshd[21422]: Invalid user carly from = 113.185.0.16 > Feb 7 19:20:17 castor sshd[21424]: Invalid user marissa from = 113.185.0.16 > Feb 7 19:20:20 castor sshd[21426]: Invalid user gracie from = 113.185.0.16 > Feb 7 19:20:24 castor sshd[21428]: Invalid user sierra from = 113.185.0.16 > Feb 7 19:20:27 castor sshd[21430]: Invalid user lillian from = 113.185.0.16 > Feb 7 19:20:31 castor sshd[21432]: Invalid user jillian from = 113.185.0.16 > Feb 7 19:20:34 castor sshd[21434]: Invalid user reagan from = 113.185.0.16 > Feb 7 19:20:37 castor sshd[21436]: Invalid user shelby from = 113.185.0.16 > Feb 7 19:20:41 castor sshd[21438]: Invalid user amelia from = 113.185.0.16 > Feb 7 19:20:44 castor sshd[21442]: Invalid user jada from = 113.185.0.16 > Feb 7 19:20:48 castor sshd[21444]: Invalid user kendall from = 113.185.0.16 > Feb 7 19:20:51 castor sshd[21446]: Invalid user courtney from = 113.185.0.16 > Feb 7 19:20:54 castor sshd[21448]: Invalid user brooklyn from = 113.185.0.16 > Feb 7 19:20:58 castor sshd[21450]: Invalid user autumn from = 113.185.0.16 > Feb 7 19:21:01 castor sshd[21452]: Invalid user mary from = 113.185.0.16 >=20 > What did I miss? >=20 > Thank you, > Vadym >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 >=20 >=20 > --=20 > Luke Jee > CEO > Prevantage Corporation
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AC4D4903-F788-485C-B73E-7E947F1BC997>