Date: Tue, 8 Feb 2011 19:11:40 -0500 From: Vadym Chepkov <vchepkov@gmail.com> To: Helmut Schneider <jumper99@gmx.de> Cc: freebsd-pf@FreeBSD.org Subject: Re: brutal SSH attacks Message-ID: <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> In-Reply-To: <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 8, 2011, at 7:01 PM, Helmut Schneider wrote: >>> Check your pflog. The ruleset itself seems fine (if it is complete = and you did not forget to post >>> a vital part). We also can assume that pf is enabled, can we? >>=20 >> What should I be looking for in pflog? I can't find anything ssh = related. I posted full ruleset too. > [...] >> [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat = $log|tcpdump -r - port ssh ; done >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >=20 > Well... >=20 >> block drop in quick from <abusive_hosts> to any >> pass quick inet proto tcp from any to 38.X.X.X port =3D ssh flags = S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate = 9/60, overload <abusive_hosts> flush global, src.track 60) >=20 > "block drop in quick log..." and "pass quick inet proto log" might be = useful. BTW, what version of FreeBSD are you using? The machine isn't = multi-homed, is it?=20 8.1-RELEASE-p1, just one external interface. I will add "log" to "pass ssh", but what would I "block drop in quick" = though? Vadym
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56413CA2-EE4F-4E06-B044-0982E864E44D>