Date: Wed, 14 May 2008 16:10:21 +0100 (BST) From: "Reinhold" <freebsd@violetlan.net> To: "Jon Radel" <jon@radel.com>, freebsd-pf@freebsd.org Subject: Re: a few problems with pf Message-ID: <58644.217.41.34.61.1210777821.squirrel@www.violetlan.net> In-Reply-To: <482AEE64.8020209@radel.com> References: <63902.217.41.34.61.1210768578.squirrel@www.violetlan.net> <482AEE64.8020209@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 14, 2008 14:51, Jon Radel wrote:
> Reinhold wrote:
>
>
>>
>> What I've also noticed is that in pf I have this rule
>> pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp
>> from any to { 192.168.1.2 } port = 22 keep state (max 1024, max-src-conn
>> 15,
>> max-src-conn-rate 2/1, overload <bruteforce> flush global)
>>
>> When I'm getting the bad header thingy this rule doesn't work properly.
>> It
>> let all the traffic trough but it never blocks the bad guys.
>
> Which bad guys are you expecting to block? I just checked a couple
> day's worth of logs and the fastest rate at which somebody was trying to
> brute force my ssh server was 1 attempt every 2 seconds. Your rule won't
> trigger until 2 attempts every 1 second or faster, and I don't think those
> other limits are likely to get triggered either unless you see a lot more
> "bad guys" than I do on random addresses. I find that
> max-src-conn-rate 3/10 tends to cut off the more energetic ones.
>
> --Jon Radel
>
>
I have almost the same rule on one of my 6.3 systems with 2/1 set and
yesterday it cough 6 bad guys and today 2.
I've made the change as you recommended. I actually was looking at a ssh
attempt earlier this week and it was connecting at about 3 to 4 per
second.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58644.217.41.34.61.1210777821.squirrel>