From owner-freebsd-security@FreeBSD.ORG Fri Aug 22 14:11:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E33DE1065672; Fri, 22 Aug 2008 14:11:37 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 8E4D28FC08; Fri, 22 Aug 2008 14:11:31 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m7MDlxVm006045; Fri, 22 Aug 2008 09:47:59 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m7MDlwaN089762 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 22 Aug 2008 09:47:59 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200808221347.m7MDlwaN089762@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 22 Aug 2008 09:48:00 -0400 To: Brooks Davis From: Mike Tancsa In-Reply-To: <20080821203703.GA47728@lor.one-eyed-alien.net> References: <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> <20080821201042.GA56182@rink.nu> <20080821203703.GA47728@lor.one-eyed-alien.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Cc: Mikhail Teterin , freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: machine hangs on occasion - correlated with ssh break-in attempts X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2008 14:11:38 -0000 At 04:37 PM 8/21/2008, Brooks Davis wrote: >On Thu, Aug 21, 2008 at 10:10:42PM +0200, Rink Springer wrote: > > On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote: > > > Finally, consider moving to pf instead, if you really feel ipfw is > > > what's causing your machine to crash. You might be pleasantly surprised > > > by the syntax, and overall administrative usability (it is significantly > > > superior to ipfw, IMHO). > > > > In fact, pf can already do this out-of-the-box, by doing something like: > > > > table persist > > pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep > > state \ > > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > > global) > > > > If that is not an option, I have found that security/denyhosts works > > pretty well too (it just adds IP's to /etc/hosts.deniedssh, and > > host_access(5) denies them based on this) > >You almost certainly don't want to rate limit ssh connections, only failed >ones. If you rate limit connections and use svn, you're likely to lock your >self out. I find a happy balance is to exclude trusted CIDR blocks from the rate limiting and let everything else be limited. e.g. table persist table {192.168.0.0/16,1.0.0.0/24} block log quick proto tcp from to any port 22 block in log on $ext_if all pass log quick proto { tcp } from {!} to $myaddress port ssh \ flags S/SA keep state \ (max-src-conn 6, max-src-conn-rate 3/30, \ overload flush global) pass in on $ext_if inet proto tcp from to $ext_if port ssh keep state and then a crontab entry */5 * * * * /usr/local/sbin/expiretable -v -t 5m bruteforce ---Mike