From owner-freebsd-pf@FreeBSD.ORG Mon Feb 7 11:07:05 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D49B0106566B for ; Mon, 7 Feb 2011 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C358E8FC15 for ; Mon, 7 Feb 2011 11:07:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p17B758J027818 for ; Mon, 7 Feb 2011 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p17B753w027816 for freebsd-pf@FreeBSD.org; Mon, 7 Feb 2011 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Feb 2011 11:07:05 GMT Message-Id: <201102071107.p17B753w027816@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Feb 2011 11:07:06 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 18:37:22 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D39BC106564A for ; Tue, 8 Feb 2011 18:37:22 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 89BB18FC17 for ; Tue, 8 Feb 2011 18:37:22 +0000 (UTC) Received: by qyk8 with SMTP id 8so621064qyk.13 for ; Tue, 08 Feb 2011 10:37:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:from:content-type:content-transfer-encoding :subject:date:message-id:to:mime-version:x-mailer; bh=awZMlzUcIAXp41jIZbzxJMJIKknWkoWO33reEpiGRQ0=; b=Tjd+a46G4aIg96qJnSSp/xmBavf25lOSUOp70Ge/svwr9JIhGrewh8gS8DFycgdvnJ BrTIMqiiecxx6zNB9U00Zzq6mh5xlOHCyS+q8Ttsl1DWuesPtryJ/Xur1ShL8VapKDwK TiL2aZ+40acR/Nuhi5pmTn2alD/e9dN7/i67o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; b=nUQqMMzeknxmT4TloFW26As5Ce58ey+DOTEchchzLc3TMrVc0oShZ+sS/SI8sMrpMD X1fe+nnYnMdeUnpoBzXfHRnop2rpJXCRbCxpJGr2Q7fymW1Oe3MJqJv2x3P1FFhRMQc7 3glLthacNR6ZsPrHR47JhiXKKEbB7t05/GC+I= Received: by 10.229.221.208 with SMTP id id16mr11616993qcb.62.1297188661756; Tue, 08 Feb 2011 10:11:01 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id y17sm3817209qci.21.2011.02.08.10.11.00 (version=SSLv3 cipher=RC4-MD5); Tue, 08 Feb 2011 10:11:01 -0800 (PST) From: Vadym Chepkov Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 8 Feb 2011 13:11:00 -0500 Message-Id: To: freebsd-pf@FreeBSD.org Mime-Version: 1.0 (Apple Message framework v1082) X-Mailer: Apple Mail (2.1082) Cc: Subject: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2011 18:37:22 -0000 Hi, Could somebody help in figuring out why PF configuration meant to = prevent brutal SSH attacks doesn't work. Here are the relevant parts: /etc/ssh/sshd_config PasswordAuthentication no MaxAuthTries 1 /etc/pf.conf block in log on $wan_if table persist block drop in quick from pass quick proto tcp to $wan_if port ssh keep state \ (max-src-conn 10, max-src-conn-rate 9/60, overload flush = global) I would expect if somebody tried to make more then 9 connections a = minute would have been blocked. But it's not the case: Feb 7 19:20:03 castor sshd[21416]: Invalid user peyton from = 113.185.0.16 Feb 7 19:20:06 castor sshd[21418]: Invalid user lindsey from = 113.185.0.16 Feb 7 19:20:10 castor sshd[21420]: Invalid user ashlyn from = 113.185.0.16 Feb 7 19:20:13 castor sshd[21422]: Invalid user carly from 113.185.0.16 Feb 7 19:20:17 castor sshd[21424]: Invalid user marissa from = 113.185.0.16 Feb 7 19:20:20 castor sshd[21426]: Invalid user gracie from = 113.185.0.16 Feb 7 19:20:24 castor sshd[21428]: Invalid user sierra from = 113.185.0.16 Feb 7 19:20:27 castor sshd[21430]: Invalid user lillian from = 113.185.0.16 Feb 7 19:20:31 castor sshd[21432]: Invalid user jillian from = 113.185.0.16 Feb 7 19:20:34 castor sshd[21434]: Invalid user reagan from = 113.185.0.16 Feb 7 19:20:37 castor sshd[21436]: Invalid user shelby from = 113.185.0.16 Feb 7 19:20:41 castor sshd[21438]: Invalid user amelia from = 113.185.0.16 Feb 7 19:20:44 castor sshd[21442]: Invalid user jada from 113.185.0.16 Feb 7 19:20:48 castor sshd[21444]: Invalid user kendall from = 113.185.0.16 Feb 7 19:20:51 castor sshd[21446]: Invalid user courtney from = 113.185.0.16 Feb 7 19:20:54 castor sshd[21448]: Invalid user brooklyn from = 113.185.0.16 Feb 7 19:20:58 castor sshd[21450]: Invalid user autumn from = 113.185.0.16 Feb 7 19:21:01 castor sshd[21452]: Invalid user mary from 113.185.0.16 What did I miss? Thank you, Vadym From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 19:58:33 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF1211065670 for ; Tue, 8 Feb 2011 19:58:33 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 97CCF8FC08 for ; Tue, 8 Feb 2011 19:58:33 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p18JwVAF083357 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 8 Feb 2011 14:58:31 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4D51A061.20704@sentex.net> Date: Tue, 08 Feb 2011 14:58:25 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Vadym Chepkov References: In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.67 on IPv6:2607:f3e0:0:1::12 Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2011 19:58:33 -0000 On 2/8/2011 1:11 PM, Vadym Chepkov wrote: > Hi, > > Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work. > > Here are the relevant parts: > > /etc/ssh/sshd_config > > PasswordAuthentication no > MaxAuthTries 1 > > /etc/pf.conf > > block in log on $wan_if > > table persist > block drop in quick from > > pass quick proto tcp to $wan_if port ssh keep state \ > (max-src-conn 10, max-src-conn-rate 9/60, overload flush global) On RELENG_7 and 8 I use something like that. Is there a different IP they might be connecting to that is not covered under $wan_if? table persist table {xx.yy.zz.aa} block log all block in log quick proto tcp from to any port 22 pass in log quick proto tcp from {!} to self port ssh \ flags S/SA keep state \ (max-src-conn 6, max-src-conn-rate 3/30, \ overload flush global) pass in log inet proto tcp from to self port ssh keep state ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 22:06:53 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AC33106566C for ; Tue, 8 Feb 2011 22:06:53 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id DDD3A8FC08 for ; Tue, 8 Feb 2011 22:06:52 +0000 (UTC) Received: by qwj9 with SMTP id 9so4594750qwj.13 for ; Tue, 08 Feb 2011 14:06:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=TB2ShZS6WnmsiKw+xb1m7e/sPAX7GFkRoiZEM8CbT+w=; b=dmDtpvQMBi4y0FQQmFd2u9NyegoSaZpaySLCTeAOTUAqs5FzmWBcxED9TtCvaWsc4S dyXX+YksuxNBVovRNQUdvJUBs1eFgy75sLwEr3yE8POzseXxhEWWWKxWAaZiEhKIHqVR ojYQC6K3gm9HJVlJsVuWJAbwdTFd7obJKdn4M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=egXFh1ur2IFrghTXuVKwuIawnZVPA0F0AHbSoBw7QiLNth3cGhnlFs/IwQvbwjsdXx xFEOPbhwcdBRnn3Nagmp2DaE6FxdHkaz1T9nZdlELjdbLGdOnTfbj9NyXBf3OP+rmzJO gfy5rGHMBFMGNxh3O0q1B2jS1fyLy2yhmCrgE= Received: by 10.229.224.73 with SMTP id in9mr996012qcb.254.1297202810917; Tue, 08 Feb 2011 14:06:50 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id t7sm3989960qcs.40.2011.02.08.14.06.50 (version=SSLv3 cipher=RC4-MD5); Tue, 08 Feb 2011 14:06:50 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <4D51A061.20704@sentex.net> Date: Tue, 8 Feb 2011 17:06:49 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D51A061.20704@sentex.net> To: Mike Tancsa X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2011 22:06:53 -0000 On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote: > On 2/8/2011 1:11 PM, Vadym Chepkov wrote: >> Hi, >>=20 >> Could somebody help in figuring out why PF configuration meant to = prevent brutal SSH attacks doesn't work. >>=20 >> Here are the relevant parts: >>=20 >> /etc/ssh/sshd_config >>=20 >> PasswordAuthentication no >> MaxAuthTries 1 >>=20 >> /etc/pf.conf >>=20 >> block in log on $wan_if >>=20 >> table persist >> block drop in quick from >>=20 >> pass quick proto tcp to $wan_if port ssh keep state \ >> (max-src-conn 10, max-src-conn-rate 9/60, overload = flush global) >=20 >=20 > On RELENG_7 and 8 I use something like that. Is there a different IP > they might be connecting to that is not covered under $wan_if? >=20 That would mean this rule doesn't work: block in log on $wan_if >=20 >=20 > table persist > table {xx.yy.zz.aa} >=20 >=20 >=20 > block log all > block in log quick proto tcp from to any port 22 > pass in log quick proto tcp from {!} to self port ssh \ > flags S/SA keep state \ > (max-src-conn 6, max-src-conn-rate 3/30, \ > overload flush global) > pass in log inet proto tcp from to self port ssh keep = state >=20 I don't have "trusted" outside IPs, other then that your config seems = the same, except mine suppose to be more strict - just one IP instead of = "self". By the way, wouldn't using "self" allow incoming packets to 127.0.0.1? Vadym >=20 >=20 > ---Mike >=20 >=20 > --=20 > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 22:53:31 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32C131065673 for ; Tue, 8 Feb 2011 22:53:31 +0000 (UTC) (envelope-from jumper99@gmx.de) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by mx1.freebsd.org (Postfix) with SMTP id 7E2E28FC12 for ; Tue, 8 Feb 2011 22:53:30 +0000 (UTC) Received: (qmail invoked by alias); 08 Feb 2011 22:26:48 -0000 Received: from p5DCD7AF7.dip.t-dialin.net (EHLO ORPHEUS) [93.205.122.247] by mail.gmx.net (mp015) with SMTP; 08 Feb 2011 23:26:48 +0100 X-Authenticated: #682707 X-Provags-ID: V01U2FsdGVkX1+sb2RjJ4Osp/OpsVsyi5reWLPBNipB2KGe88rjnx ezqEhTZiL9XD+Q Message-ID: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> From: "Helmut Schneider" To: "Vadym Chepkov" , References: In-Reply-To: Date: Tue, 8 Feb 2011 23:26:47 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8117.416 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416 X-Antivirus: avast! (VPS 110208-0, 08.02.2011), Outbound message X-Antivirus-Status: Clean X-Y-GMX-Trusted: 0 Cc: Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2011 22:53:31 -0000 > Could somebody help in figuring out why PF configuration meant to prevent > brutal SSH attacks doesn't work. Check your pflog. The ruleset itself seems fine (if it is complete and you did not forget to post a vital part). We also can assume that pf is enabled, can we? From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 23:02:52 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2932E1065674 for ; Tue, 8 Feb 2011 23:02:52 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id CFAAD8FC15 for ; Tue, 8 Feb 2011 23:02:51 +0000 (UTC) Received: by qwj9 with SMTP id 9so4630337qwj.13 for ; Tue, 08 Feb 2011 15:02:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :x-priority:in-reply-to:date:cc:content-transfer-encoding:message-id :references:to:x-mailer; bh=RP6XEHDwN0GACDXJ60a+cVMazIuHsLgifeqSXu95dsU=; b=BbFLdkItTf1If3WRT2RRBE0IWnW1coMyfK3mTk7RaM4go5mzQ4RvPgvq2brrgbWROe gL/fsj9vIf4fmxUdT2TpP8d+Mj7YPqZCry9zFQmnK8sx+ovOL/CoMijh0IBlFlYaD0mk UVTxdWtm+hXw6z5cipsF9mPCOwAeFialqK27g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:x-priority:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; b=xRK4gQG0H30dShxkNI3diSlXNtXc9ZvfcqmIRBxY/FroJAyJDGAcwc0vxMB/XX5jpp QzZJO7wcT4Zb/H0Y9mAVZkZlhIl5g2HGrE9s0iokv6IPHOf4SA26Epr/Tlu1zEwIFeuE pudCNPNz4xFL6IgipNLjCXWIDbC0kQdquIPPA= Received: by 10.229.233.196 with SMTP id jz4mr14639045qcb.135.1297206171063; Tue, 08 Feb 2011 15:02:51 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id s10sm4015631qco.23.2011.02.08.15.02.49 (version=SSLv3 cipher=RC4-MD5); Tue, 08 Feb 2011 15:02:50 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov X-Priority: 3 In-Reply-To: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> Date: Tue, 8 Feb 2011 18:02:49 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> To: Helmut Schneider X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@FreeBSD.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2011 23:02:52 -0000 On Feb 8, 2011, at 5:26 PM, Helmut Schneider wrote: >> Could somebody help in figuring out why PF configuration meant to = prevent brutal SSH attacks doesn't work. >=20 > Check your pflog. The ruleset itself seems fine (if it is complete and = you did not forget to post a vital part). We also can assume that pf is = enabled, can we?=20 What should I be looking for in pflog? I can't find anything ssh = related. I posted full ruleset too. [root@castor ~]# service pf status Status: Enabled for 74 days 00:20:02 Debug: Urgent State Table Total Rate current entries 10 =20 searches 94773790 14.8/s inserts 228426 0.0/s removals 228416 0.0/s Counters match 93343976 14.6/s bad-offset 0 0.0/s fragment 11 0.0/s short 0 0.0/s normalize 4 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 40706 0.0/s proto-cksum 354 0.0/s state-mismatch 57 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 116 0.0/s synproxy 0 0.0/s [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat $log|tcpdump = -r - port ssh ; done reading from file -, link-type PFLOG (OpenBSD pflog file) reading from file -, link-type PFLOG (OpenBSD pflog file) reading from file -, link-type PFLOG (OpenBSD pflog file) reading from file -, link-type PFLOG (OpenBSD pflog file) [root@castor ~]# pfctl -sr scrub in all fragment reassemble block return in log on bce1 all block drop in quick on bce1 from to any block return out quick on bce1 from any to pass out quick on bce1 from to any flags S/SA keep = state block drop in quick from to any pass quick inet proto tcp from any to 38.X.X.X port =3D ssh flags S/SA = keep state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60, = overload flush global, src.track 60) pass quick inet proto tcp from any to 38.X.X.X port =3D domain flags = S/SA keep state pass quick inet proto udp from any to 38.X.X.X port =3D domain keep = state pass quick inet proto udp from any to 38.X.X.X port =3D openvpn keep = state pass quick inet proto icmp from any to 38.X.X.X icmp-type squench no = state pass quick inet proto icmp from any to 38.X.X.X icmp-type unreach no = state pass quick inet proto icmp from any to 38.X.X.X icmp-type timex no state pass quick inet proto icmp from any to 38.X.X.X icmp-type echoreq no = state pass quick inet proto udp from any to 38.X.X.X port 33434:33523 keep = state Thanks, Vadym From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 00:01:39 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13FFC1065674 for ; Wed, 9 Feb 2011 00:01:39 +0000 (UTC) (envelope-from jumper99@gmx.de) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by mx1.freebsd.org (Postfix) with SMTP id 5A2578FC0C for ; Wed, 9 Feb 2011 00:01:37 +0000 (UTC) Received: (qmail invoked by alias); 09 Feb 2011 00:01:36 -0000 Received: from p5DCD7AF7.dip.t-dialin.net (EHLO ORPHEUS) [93.205.122.247] by mail.gmx.net (mp031) with SMTP; 09 Feb 2011 01:01:36 +0100 X-Authenticated: #682707 X-Provags-ID: V01U2FsdGVkX19lxUdFv1hlkVI8+aDhIL8nbqc/SkVABH23YozJ0A fPFZEU4eZwYyWP Message-ID: <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> From: "Helmut Schneider" To: "Vadym Chepkov" References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> In-Reply-To: Date: Wed, 9 Feb 2011 01:01:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8117.416 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416 X-Antivirus: avast! (VPS 110208-0, 08.02.2011), Outbound message X-Antivirus-Status: Clean X-Y-GMX-Trusted: 0 Cc: freebsd-pf@FreeBSD.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 00:01:39 -0000 >> Check your pflog. The ruleset itself seems fine (if it is complete and >> you did not forget to post >> a vital part). We also can assume that pf is enabled, can we? > > What should I be looking for in pflog? I can't find anything ssh related. > I posted full ruleset too. [...] > [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat > $log|tcpdump -r - port ssh ; done > reading from file -, link-type PFLOG (OpenBSD pflog file) > reading from file -, link-type PFLOG (OpenBSD pflog file) > reading from file -, link-type PFLOG (OpenBSD pflog file) > reading from file -, link-type PFLOG (OpenBSD pflog file) Well... > block drop in quick from to any > pass quick inet proto tcp from any to 38.X.X.X port = ssh flags S/SA keep > state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60, > overload flush global, src.track 60) "block drop in quick log..." and "pass quick inet proto log" might be useful. BTW, what version of FreeBSD are you using? The machine isn't multi-homed, is it? From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 00:11:42 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D85E51065672 for ; Wed, 9 Feb 2011 00:11:42 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 85E9A8FC0C for ; Wed, 9 Feb 2011 00:11:42 +0000 (UTC) Received: by qwj9 with SMTP id 9so4662687qwj.13 for ; Tue, 08 Feb 2011 16:11:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :x-priority:in-reply-to:date:cc:content-transfer-encoding:message-id :references:to:x-mailer; bh=SoogkmTpDmXuC1FG8OQiiTHspABAKkm5ptZIrxWbVfE=; b=WIQ3qVINXVquXg4Fljk1RqcW8lxu4UwnV/0jyrPQ+CPtX0JljLXfDhOSQLMN3xQyC+ UByp8oMHNbOEjA/rfT0BaX1I9YQCrCamGu0iOnmOgXKAqn31pN2K0FIV9A4eiB3gkb70 DqWnieRIALA1NPTl6uYwrOMK3Ilh2uEz7cbhY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:x-priority:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; b=xrOyedSmBQSOs5HwwdnXuNJNmDovWOIZSyf5635q5V5zU0pDlzy9AKVKtqKZEsw3zN NDyRiLE1XNGC/eGXciQD99rVqqmZkxdGD0lKYIQUKr9rPjFbYn0BmyKy3YuqKGUJhfXz sEoDs9YaZBVfc6pihxsF/0VS8VTush017L3c8= Received: by 10.224.54.69 with SMTP id p5mr2683715qag.95.1297210301679; Tue, 08 Feb 2011 16:11:41 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id s10sm33215qco.11.2011.02.08.16.11.40 (version=SSLv3 cipher=OTHER); Tue, 08 Feb 2011 16:11:41 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov X-Priority: 3 In-Reply-To: <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> Date: Tue, 8 Feb 2011 19:11:40 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> To: Helmut Schneider X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@FreeBSD.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 00:11:42 -0000 On Feb 8, 2011, at 7:01 PM, Helmut Schneider wrote: >>> Check your pflog. The ruleset itself seems fine (if it is complete = and you did not forget to post >>> a vital part). We also can assume that pf is enabled, can we? >>=20 >> What should I be looking for in pflog? I can't find anything ssh = related. I posted full ruleset too. > [...] >> [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat = $log|tcpdump -r - port ssh ; done >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >=20 > Well... >=20 >> block drop in quick from to any >> pass quick inet proto tcp from any to 38.X.X.X port =3D ssh flags = S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate = 9/60, overload flush global, src.track 60) >=20 > "block drop in quick log..." and "pass quick inet proto log" might be = useful. BTW, what version of FreeBSD are you using? The machine isn't = multi-homed, is it?=20 8.1-RELEASE-p1, just one external interface. I will add "log" to "pass ssh", but what would I "block drop in quick" = though? Vadym From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 00:51:45 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F155106564A for ; Wed, 9 Feb 2011 00:51:45 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id CF2C48FC21 for ; Wed, 9 Feb 2011 00:51:44 +0000 (UTC) Received: by qwj9 with SMTP id 9so4680075qwj.13 for ; Tue, 08 Feb 2011 16:51:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to:x-mailer; bh=WOvDYOxUIquasl3Ie6xMlaL9+mcr3BKDw7heN6wqRME=; b=vuqbVA3JcURPA41U+2dBze/WG3DKqzmklEP1MSStxGmTqZeKG96i5KfAxF5JuGDdQJ 3jXuHOalCdUfsj1iry33X0DKe6Lc1ixUWtxrHBOwAx0Z88PPKwLcBpYHUIsLSkQPzO80 DPkI7Vwc3vxK+PIJvuubk7NBU8N/MLEDuRnT0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; b=AvWlrCsBsD+fsu1ymk6BqTzt9Zs17i8V64YYBt0f4Rr6mOp2mj5yiNQDXjTAYT/GMJ gO1k8YxFu7db9AnMj9mk0ahQSyEEPuj38TXJUibAV0Ss7l70eVflCew6W0jefZ3kH6Xy pbfGn4rqz1LLO6CU+ygRZ+jrugY0yHPqa97t4= Received: by 10.229.87.149 with SMTP id w21mr12549725qcl.68.1297212703925; Tue, 08 Feb 2011 16:51:43 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id t7sm48291qcs.40.2011.02.08.16.51.42 (version=SSLv3 cipher=OTHER); Tue, 08 Feb 2011 16:51:43 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) From: Vadym Chepkov In-Reply-To: Date: Tue, 8 Feb 2011 19:51:42 -0500 Message-Id: References: To: Luke Jee X-Mailer: Apple Mail (2.1082) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 00:51:45 -0000 On Feb 8, 2011, at 7:47 PM, Luke Jee wrote: > Hi Vadyam, >=20 > try this: > table >=20 > remove persist, i remember it means table will readonly That contradicts the manual: Tables may be defined with the following two attributes: persist The persist flag forces the kernel to keep the table even = when no rules refer to it. If the flag is not set, the kernel = will automatically remove the table when the last rule = referring to it is flushed. const The const flag prevents the user from altering the = contents of the table once it has been created. Without that flag, = pfctl(8) can be used to add or remove addresses from the table at = any time, even when running with securelevel(7) =3D 2. For example, table const { 10/8, 172.16/12, 192.168/16 } table persist block on fxp0 from { , } to any >=20 > On Wed, Feb 9, 2011 at 2:11 AM, Vadym Chepkov = wrote: > Hi, >=20 > Could somebody help in figuring out why PF configuration meant to = prevent brutal SSH attacks doesn't work. >=20 > Here are the relevant parts: >=20 > /etc/ssh/sshd_config >=20 > PasswordAuthentication no > MaxAuthTries 1 >=20 > /etc/pf.conf >=20 > block in log on $wan_if >=20 > table persist > block drop in quick from >=20 > pass quick proto tcp to $wan_if port ssh keep state \ > (max-src-conn 10, max-src-conn-rate 9/60, overload = flush global) >=20 > I would expect if somebody tried to make more then 9 connections a = minute would have been blocked. >=20 > But it's not the case: >=20 > Feb 7 19:20:03 castor sshd[21416]: Invalid user peyton from = 113.185.0.16 > Feb 7 19:20:06 castor sshd[21418]: Invalid user lindsey from = 113.185.0.16 > Feb 7 19:20:10 castor sshd[21420]: Invalid user ashlyn from = 113.185.0.16 > Feb 7 19:20:13 castor sshd[21422]: Invalid user carly from = 113.185.0.16 > Feb 7 19:20:17 castor sshd[21424]: Invalid user marissa from = 113.185.0.16 > Feb 7 19:20:20 castor sshd[21426]: Invalid user gracie from = 113.185.0.16 > Feb 7 19:20:24 castor sshd[21428]: Invalid user sierra from = 113.185.0.16 > Feb 7 19:20:27 castor sshd[21430]: Invalid user lillian from = 113.185.0.16 > Feb 7 19:20:31 castor sshd[21432]: Invalid user jillian from = 113.185.0.16 > Feb 7 19:20:34 castor sshd[21434]: Invalid user reagan from = 113.185.0.16 > Feb 7 19:20:37 castor sshd[21436]: Invalid user shelby from = 113.185.0.16 > Feb 7 19:20:41 castor sshd[21438]: Invalid user amelia from = 113.185.0.16 > Feb 7 19:20:44 castor sshd[21442]: Invalid user jada from = 113.185.0.16 > Feb 7 19:20:48 castor sshd[21444]: Invalid user kendall from = 113.185.0.16 > Feb 7 19:20:51 castor sshd[21446]: Invalid user courtney from = 113.185.0.16 > Feb 7 19:20:54 castor sshd[21448]: Invalid user brooklyn from = 113.185.0.16 > Feb 7 19:20:58 castor sshd[21450]: Invalid user autumn from = 113.185.0.16 > Feb 7 19:21:01 castor sshd[21452]: Invalid user mary from = 113.185.0.16 >=20 > What did I miss? >=20 > Thank you, > Vadym >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 >=20 >=20 > --=20 > Luke Jee > CEO > Prevantage Corporation From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 01:07:55 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D5251065672 for ; Wed, 9 Feb 2011 01:07:55 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id D13978FC16 for ; Wed, 9 Feb 2011 01:07:54 +0000 (UTC) Received: by qyk36 with SMTP id 36so4638923qyk.13 for ; Tue, 08 Feb 2011 17:07:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :x-priority:in-reply-to:date:cc:content-transfer-encoding:message-id :references:to:x-mailer; bh=Rv7df6WADDSTfC7oSq4EGNaZg3zp8tJ2PSKYYNU+KtQ=; b=MOSQdQwe3Zo5rTHtSnzWblROMHgy3VNIGqquNqvYyEGy+O9vnhR4Dx4UIAXZIi0HCW el3l/c8kovJYwjm4g9zzGW4Z70nnGCkFkGNSC8QK/xPFJIeLRg27kpkOOswYBnqBlPL/ 7HFim/53EVJm7w20AMQ7iu3vyCVkCoJfjHR6Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:x-priority:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; b=oqRi50sXcW07eoSrNomiOTuL1OP0i0U597y3WmNrMXWMowGUn6lcKy/GPVbkjTGxS4 39jjZdV+Jg1SEnje5tg2UNcf3VAeU+IEYvXX6hwNbYvuHNrX8ND9PqaMuBbGSP9Ra30m p6ZIqu1gSx2Cy2wkbDUQQomq2dAa5qOYuOAsI= Received: by 10.229.38.140 with SMTP id b12mr12564996qce.161.1297213673917; Tue, 08 Feb 2011 17:07:53 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id l12sm58743qcu.31.2011.02.08.17.07.53 (version=SSLv3 cipher=OTHER); Tue, 08 Feb 2011 17:07:53 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov X-Priority: 3 In-Reply-To: <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> Date: Tue, 8 Feb 2011 20:07:52 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> To: Helmut Schneider X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@FreeBSD.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 01:07:55 -0000 On Feb 8, 2011, at 7:11 PM, Vadym Chepkov wrote: >=20 > On Feb 8, 2011, at 7:01 PM, Helmut Schneider wrote: >=20 >>>> Check your pflog. The ruleset itself seems fine (if it is complete = and you did not forget to post >>>> a vital part). We also can assume that pf is enabled, can we? >>>=20 >>> What should I be looking for in pflog? I can't find anything ssh = related. I posted full ruleset too. >> [...] >>> [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat = $log|tcpdump -r - port ssh ; done >>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>=20 >> Well... >>=20 >>> block drop in quick from to any >>> pass quick inet proto tcp from any to 38.X.X.X port =3D ssh flags = S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate = 9/60, overload flush global, src.track 60) >>=20 >> "block drop in quick log..." and "pass quick inet proto log" might be = useful. BTW, what version of FreeBSD are you using? The machine isn't = multi-homed, is it?=20 >=20 > 8.1-RELEASE-p1, just one external interface. >=20 > I will add "log" to "pass ssh", but what would I "block drop in quick" = though? Here are entries with pass in log enabled: 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 > = 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss = 1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0 19:59:09.879718 rule 5/0(match): pass in on bce1: 93.174.31.134.37700 > = 38.X.X.X.22: Flags [S], seq 442612509, win 5840, options [mss = 1460,sackOK,TS val 395812607 ecr 0,nop,wscale 7], length 0 19:59:11.585464 rule 5/0(match): pass in on bce1: 93.174.31.134.38063 > = 38.X.X.X.22: Flags [S], seq 452334454, win 5840, options [mss = 1460,sackOK,TS val 395814310 ecr 0,nop,wscale 7], length 0 19:59:13.343901 rule 5/0(match): pass in on bce1: 93.174.31.134.38266 > = 38.X.X.X.22: Flags [S], seq 460272696, win 5840, options [mss = 1460,sackOK,TS val 395816072 ecr 0,nop,wscale 7], length 0 19:59:15.083747 rule 5/0(match): pass in on bce1: 93.174.31.134.39088 > = 38.X.X.X.22: Flags [S], seq 451620226, win 5840, options [mss = 1460,sackOK,TS val 395817812 ecr 0,nop,wscale 7], length 0 19:59:16.825914 rule 5/0(match): pass in on bce1: 93.174.31.134.39441 > = 38.X.X.X.22: Flags [S], seq 449195625, win 5840, options [mss = 1460,sackOK,TS val 395819550 ecr 0,nop,wscale 7], length 0 19:59:18.556231 rule 5/0(match): pass in on bce1: 93.174.31.134.39722 > = 38.X.X.X.22: Flags [S], seq 452162408, win 5840, options [mss = 1460,sackOK,TS val 395821284 ecr 0,nop,wscale 7], length 0 19:59:20.263343 rule 5/0(match): pass in on bce1: 93.174.31.134.40441 > = 38.X.X.X.22: Flags [S], seq 466289680, win 5840, options [mss = 1460,sackOK,TS val 395822987 ecr 0,nop,wscale 7], length 0 19:59:21.996759 rule 5/0(match): pass in on bce1: 93.174.31.134.40812 > = 38.X.X.X.22: Flags [S], seq 466926642, win 5840, options [mss = 1460,sackOK,TS val 395824721 ecr 0,nop,wscale 7], length 0 19:59:23.723164 rule 5/0(match): pass in on bce1: 93.174.31.134.41081 > = 38.X.X.X.22: Flags [S], seq 470787551, win 5840, options [mss = 1460,sackOK,TS val 395826451 ecr 0,nop,wscale 7], length 0 19:59:25.424186 rule 5/0(match): pass in on bce1: 93.174.31.134.41808 > = 38.X.X.X.22: Flags [S], seq 456764787, win 5840, options [mss = 1460,sackOK,TS val 395828152 ecr 0,nop,wscale 7], length 0 No idea, why it didn't stop after 9 attempts. Vadym From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 01:18:14 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B786106566C for ; Wed, 9 Feb 2011 01:18:14 +0000 (UTC) (envelope-from lukejee@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id D5A408FC12 for ; Wed, 9 Feb 2011 01:18:13 +0000 (UTC) Received: by qyk36 with SMTP id 36so4643173qyk.13 for ; Tue, 08 Feb 2011 17:18:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=t7YKLFTwQwWvTAXZI34rJKdzvC7PVgzSwQksgbHYMwA=; b=xAPlXlsZ4l9pw+axrAkN8PLDvr+tIJxPJb7w7Kot+px/De5uPK1ubNH1iTEzulqRjX 0xquB4lckP5ih8jn5pJR39GBrDUrRTgocv4vPP0fCRKHYGo2EZMVAW+Ixmy9guDrFMnt b2gUCw96W1gCY4GEXkASP6VuNQOBYXjFCPJog= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=ifg3gxQypokfs6Iyt5U3irAvF/QL+lkJkocJbA48QE1BKnchBebfLBXsDtboCP9JJm +M3iZDtC+6mI5froHphcPs9TyGYB8nLCSPsRPtxeX/igWAEMALSJbQ5G7Vcoi9h8+Bv4 J+qtzK8Eo++vI1P7fn6tVUB6N0GcWEYaMQHoc= MIME-Version: 1.0 Received: by 10.229.183.193 with SMTP id ch1mr12681286qcb.107.1297212441426; Tue, 08 Feb 2011 16:47:21 -0800 (PST) Received: by 10.229.27.211 with HTTP; Tue, 8 Feb 2011 16:47:21 -0800 (PST) In-Reply-To: References: Date: Wed, 9 Feb 2011 08:47:21 +0800 Message-ID: From: Luke Jee To: Vadym Chepkov Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 01:18:14 -0000 Hi Vadyam, try this: table remove persist, i remember it means table will readonly On Wed, Feb 9, 2011 at 2:11 AM, Vadym Chepkov wrote: > Hi, > > Could somebody help in figuring out why PF configuration meant to prevent > brutal SSH attacks doesn't work. > > Here are the relevant parts: > > /etc/ssh/sshd_config > > PasswordAuthentication no > MaxAuthTries 1 > > /etc/pf.conf > > block in log on $wan_if > > table persist > block drop in quick from > > pass quick proto tcp to $wan_if port ssh keep state \ > (max-src-conn 10, max-src-conn-rate 9/60, overload flush > global) > > I would expect if somebody tried to make more then 9 connections a minute > would have been blocked. > > But it's not the case: > > Feb 7 19:20:03 castor sshd[21416]: Invalid user peyton from 113.185.0.16 > Feb 7 19:20:06 castor sshd[21418]: Invalid user lindsey from 113.185.0.16 > Feb 7 19:20:10 castor sshd[21420]: Invalid user ashlyn from 113.185.0.16 > Feb 7 19:20:13 castor sshd[21422]: Invalid user carly from 113.185.0.16 > Feb 7 19:20:17 castor sshd[21424]: Invalid user marissa from 113.185.0.16 > Feb 7 19:20:20 castor sshd[21426]: Invalid user gracie from 113.185.0.16 > Feb 7 19:20:24 castor sshd[21428]: Invalid user sierra from 113.185.0.16 > Feb 7 19:20:27 castor sshd[21430]: Invalid user lillian from 113.185.0.16 > Feb 7 19:20:31 castor sshd[21432]: Invalid user jillian from 113.185.0.16 > Feb 7 19:20:34 castor sshd[21434]: Invalid user reagan from 113.185.0.16 > Feb 7 19:20:37 castor sshd[21436]: Invalid user shelby from 113.185.0.16 > Feb 7 19:20:41 castor sshd[21438]: Invalid user amelia from 113.185.0.16 > Feb 7 19:20:44 castor sshd[21442]: Invalid user jada from 113.185.0.16 > Feb 7 19:20:48 castor sshd[21444]: Invalid user kendall from 113.185.0.16 > Feb 7 19:20:51 castor sshd[21446]: Invalid user courtney from 113.185.0.16 > Feb 7 19:20:54 castor sshd[21448]: Invalid user brooklyn from 113.185.0.16 > Feb 7 19:20:58 castor sshd[21450]: Invalid user autumn from 113.185.0.16 > Feb 7 19:21:01 castor sshd[21452]: Invalid user mary from 113.185.0.16 > > What did I miss? > > Thank you, > Vadym > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Luke Jee CEO Prevantage Corporation From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 01:22:46 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8891E106564A for ; Wed, 9 Feb 2011 01:22:46 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 336D38FC14 for ; Wed, 9 Feb 2011 01:22:46 +0000 (UTC) Received: by qyk36 with SMTP id 36so4644962qyk.13 for ; Tue, 08 Feb 2011 17:22:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :x-priority:in-reply-to:date:content-transfer-encoding:message-id :references:to:x-mailer; bh=09ZgCp7Z6pEyqgAvDGjjWTKapsyjelMS/7zXDsMiqdA=; b=XQYu0LT/zCngcKTcryJ3C/mofw2P3N8wVxq8VDA+Pm+7P0CCe0PbtPm2wl5rZcInhT HjZoKJUOqn89J9RNDuuMM7JQ7hAX+aLuaTKvw3c3XnYCqNj2vCLOGgEv/szh0L+Zgqae sX0NjlQ6AFaL0AYt4PWcAtXr9691jpfPQEV8Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:x-priority:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; b=odEfmp7+zSj1m7/IT9R4q1G0hsglYK62o8du2XjHMf00KD6AU0VnySkb+QOe866Xbz M6iOU2sQBIfaHI1Nq7diQJCNGOXW7AjCxMD+HE768/gSp2nUNfbEaRGi/9Dh4RLyMrpW P2Cargn4JfGHz+kNzIsGGfaTJ4i+O0FObW+lM= Received: by 10.229.238.82 with SMTP id kr18mr14750653qcb.98.1297214565595; Tue, 08 Feb 2011 17:22:45 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id s10sm62591qco.35.2011.02.08.17.22.44 (version=SSLv3 cipher=OTHER); Tue, 08 Feb 2011 17:22:45 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov X-Priority: 3 In-Reply-To: Date: Tue, 8 Feb 2011 20:22:44 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <1F8586CB-EAF9-4DEA-A8CB-2C3867554C2F@gmail.com> References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> To: freebsd-pf@FreeBSD.org X-Mailer: Apple Mail (2.1082) Cc: Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 01:22:46 -0000 I should have mentioned it. Some IPs do get into abusive_hosts table, but some do not and I don't = understand, why, how do they avoid of getting caught. Vadym On Feb 8, 2011, at 8:07 PM, Vadym Chepkov wrote: >=20 > On Feb 8, 2011, at 7:11 PM, Vadym Chepkov wrote: >=20 >>=20 >> On Feb 8, 2011, at 7:01 PM, Helmut Schneider wrote: >>=20 >>>>> Check your pflog. The ruleset itself seems fine (if it is complete = and you did not forget to post >>>>> a vital part). We also can assume that pf is enabled, can we? >>>>=20 >>>> What should I be looking for in pflog? I can't find anything ssh = related. I posted full ruleset too. >>> [...] >>>> [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat = $log|tcpdump -r - port ssh ; done >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>=20 >>> Well... >>>=20 >>>> block drop in quick from to any >>>> pass quick inet proto tcp from any to 38.X.X.X port =3D ssh flags = S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate = 9/60, overload flush global, src.track 60) >>>=20 >>> "block drop in quick log..." and "pass quick inet proto log" might = be useful. BTW, what version of FreeBSD are you using? The machine isn't = multi-homed, is it?=20 >>=20 >> 8.1-RELEASE-p1, just one external interface. >>=20 >> I will add "log" to "pass ssh", but what would I "block drop in = quick" though? >=20 >=20 > Here are entries with pass in log enabled: >=20 > 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 = > 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss = 1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0 > 19:59:09.879718 rule 5/0(match): pass in on bce1: 93.174.31.134.37700 = > 38.X.X.X.22: Flags [S], seq 442612509, win 5840, options [mss = 1460,sackOK,TS val 395812607 ecr 0,nop,wscale 7], length 0 > 19:59:11.585464 rule 5/0(match): pass in on bce1: 93.174.31.134.38063 = > 38.X.X.X.22: Flags [S], seq 452334454, win 5840, options [mss = 1460,sackOK,TS val 395814310 ecr 0,nop,wscale 7], length 0 > 19:59:13.343901 rule 5/0(match): pass in on bce1: 93.174.31.134.38266 = > 38.X.X.X.22: Flags [S], seq 460272696, win 5840, options [mss = 1460,sackOK,TS val 395816072 ecr 0,nop,wscale 7], length 0 > 19:59:15.083747 rule 5/0(match): pass in on bce1: 93.174.31.134.39088 = > 38.X.X.X.22: Flags [S], seq 451620226, win 5840, options [mss = 1460,sackOK,TS val 395817812 ecr 0,nop,wscale 7], length 0 > 19:59:16.825914 rule 5/0(match): pass in on bce1: 93.174.31.134.39441 = > 38.X.X.X.22: Flags [S], seq 449195625, win 5840, options [mss = 1460,sackOK,TS val 395819550 ecr 0,nop,wscale 7], length 0 > 19:59:18.556231 rule 5/0(match): pass in on bce1: 93.174.31.134.39722 = > 38.X.X.X.22: Flags [S], seq 452162408, win 5840, options [mss = 1460,sackOK,TS val 395821284 ecr 0,nop,wscale 7], length 0 > 19:59:20.263343 rule 5/0(match): pass in on bce1: 93.174.31.134.40441 = > 38.X.X.X.22: Flags [S], seq 466289680, win 5840, options [mss = 1460,sackOK,TS val 395822987 ecr 0,nop,wscale 7], length 0 > 19:59:21.996759 rule 5/0(match): pass in on bce1: 93.174.31.134.40812 = > 38.X.X.X.22: Flags [S], seq 466926642, win 5840, options [mss = 1460,sackOK,TS val 395824721 ecr 0,nop,wscale 7], length 0 > 19:59:23.723164 rule 5/0(match): pass in on bce1: 93.174.31.134.41081 = > 38.X.X.X.22: Flags [S], seq 470787551, win 5840, options [mss = 1460,sackOK,TS val 395826451 ecr 0,nop,wscale 7], length 0 > 19:59:25.424186 rule 5/0(match): pass in on bce1: 93.174.31.134.41808 = > 38.X.X.X.22: Flags [S], seq 456764787, win 5840, options [mss = 1460,sackOK,TS val 395828152 ecr 0,nop,wscale 7], length 0 >=20 >=20 > No idea, why it didn't stop after 9 attempts. >=20 > Vadym >=20 >=20 From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 01:36:45 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D04BF106564A for ; Wed, 9 Feb 2011 01:36:45 +0000 (UTC) (envelope-from jumper99@gmx.de) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by mx1.freebsd.org (Postfix) with SMTP id 1F7168FC0A for ; Wed, 9 Feb 2011 01:36:44 +0000 (UTC) Received: (qmail invoked by alias); 09 Feb 2011 01:36:43 -0000 Received: from p5DCD7AF7.dip.t-dialin.net (EHLO ORPHEUS) [93.205.122.247] by mail.gmx.net (mp071) with SMTP; 09 Feb 2011 02:36:43 +0100 X-Authenticated: #682707 X-Provags-ID: V01U2FsdGVkX19zaLNCxi9zBHLAX8EdqZgyUQF8ovCuCh0atr9F7N pgS0OLdj8Q9yNG Message-ID: <7919038DEA4842A597EB84C9FD717FA7@charlieroot.de> From: "Helmut Schneider" To: "Vadym Chepkov" References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> In-Reply-To: Date: Wed, 9 Feb 2011 02:36:43 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8117.416 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416 X-Antivirus: avast! (VPS 110208-1, 08.02.2011), Outbound message X-Antivirus-Status: Clean X-Y-GMX-Trusted: 0 Cc: freebsd-pf@FreeBSD.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 01:36:45 -0000 > Here are entries with pass in log enabled: > > 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 > > 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss > 1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0 And 38.x.x.x is the external ip of your gateway?! (my last guess for today^Wtonight...) From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 01:38:20 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B70441065672 for ; Wed, 9 Feb 2011 01:38:20 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 6A3088FC18 for ; Wed, 9 Feb 2011 01:38:20 +0000 (UTC) Received: by qyk8 with SMTP id 8so906297qyk.13 for ; Tue, 08 Feb 2011 17:38:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :x-priority:in-reply-to:date:cc:content-transfer-encoding:message-id :references:to:x-mailer; bh=QYdBmj4wlO0f208Rg5coU6ofgEPTmKR9CmFmWHge46E=; b=lpvvQJD7I+tJdRVu4iLTaMj95Pco1sjf6y0iDRVJpKP9BbswYWiThBhREVGT7f19Ka X23zKMXPW7YXL9xQ8Bip3R3cIH/xTJnl0N6vO9e0KEi/B5bk9iRttpghJ0Y8pxm9hR+i 4aaW6x5QsvLqsBfe22A32oXx5N6Vs0mgTCR7Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:x-priority:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; b=TCP2/0W3wYhNRXT6Vtn1zwbcrGDEKs/665PaNGZkv3oFHFDMXitX6lByAx9G0qQ8Xn XebNPHfR6NY9PE0mGqUsC1hoASVnelgk+HGnrIA1f63rwaHjMXch4BR7QWWhDU+MowBx g/d4XXDwn2aAVILM10bSowtd/BOVxNoqsHYbg= Received: by 10.224.74.18 with SMTP id s18mr15584629qaj.327.1297215496079; Tue, 08 Feb 2011 17:38:16 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id e29sm75171qck.27.2011.02.08.17.38.14 (version=SSLv3 cipher=OTHER); Tue, 08 Feb 2011 17:38:14 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov X-Priority: 3 In-Reply-To: <7919038DEA4842A597EB84C9FD717FA7@charlieroot.de> Date: Tue, 8 Feb 2011 20:38:13 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <0523C307-8002-4257-89FA-8B8A6621F6D3@gmail.com> References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <7919038DEA4842A597EB84C9FD717FA7@charlieroot.de> To: "Helmut Schneider" X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@FreeBSD.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 01:38:20 -0000 On Feb 8, 2011, at 8:36 PM, Helmut Schneider wrote: >> Here are entries with pass in log enabled: >>=20 >> 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 = > 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss = 1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0 >=20 > And 38.x.x.x is the external ip of your gateway?! (my last guess for = today^Wtonight...)=20 yes, it is From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 05:50:13 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 870771065670 for ; Wed, 9 Feb 2011 05:50:13 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 422148FC17 for ; Wed, 9 Feb 2011 05:50:12 +0000 (UTC) Received: by iwn39 with SMTP id 39so6552416iwn.13 for ; Tue, 08 Feb 2011 21:50:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:in-reply-to :message-id:references:user-agent:x-openpgp-key-id :x-openpgp-key-fingerprint:mime-version:content-type; bh=byrZ/6iB0dnyWHa0bb73BVRJ9x2paaxNpb+GHtoFPeQ=; b=VXG19R/QrYhukBLnkobBLvnQi9V6yYaEnXVhPxFeuZVOS1nfAmX/gIToDEHjLCpNHQ RqLXPi0rU62842PWtDeXbE/dyJukuwFDPwJBUEl3I1Jfqp3+vDa6ZcD2wLLrdhjz2FyF T9xZOY/sLeHkjwO+Bp1E0sQqANgv/zFSkefDo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=hLCbxoWTK+mKX3CLCU8KjjrUSMqnvj1WivDPSYBBVKpWwSgbij0vRfnWg7+KdBhl3a ftrBoNjwow4usSBpt8y5vHTBE3b6Z+rY014QVdkTzDZVCZ9oWeVWmiIcLS6tTelrPcCU EOwXXRWCE1HSjlTKL9Q6FPazxcuwshqqZwLtg= Received: by 10.231.173.138 with SMTP id p10mr20288937ibz.48.1297229241972; Tue, 08 Feb 2011 21:27:21 -0800 (PST) Received: from disbatch.dataix.local (adsl-99-19-40-173.dsl.klmzmi.sbcglobal.net [99.19.40.173]) by mx.google.com with ESMTPS id i16sm429376ibl.6.2011.02.08.21.27.19 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 08 Feb 2011 21:27:20 -0800 (PST) Sender: "J. Hellenthal" Date: Wed, 9 Feb 2011 00:26:59 -0500 From: jhell To: Vadym Chepkov In-Reply-To: <0523C307-8002-4257-89FA-8B8A6621F6D3@gmail.com> Message-ID: References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <7919038DEA4842A597EB84C9FD717FA7@charlieroot.de> <0523C307-8002-4257-89FA-8B8A6621F6D3@gmail.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 05:50:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Feb 2011 20:38, vchepkov@ wrote: > > > On Feb 8, 2011, at 8:36 PM, Helmut Schneider wrote: > >>> Here are entries with pass in log enabled: >>> >>> 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 > 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss 1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0 >> >> And 38.x.x.x is the external ip of your gateway?! (my last guess for today^Wtonight...) > > yes, it is > Your max-src-conn is higher than your initial max-src-conn-rate. Try adjusting max-src-conn to 3 which is 1/3 of what your rate is and youll find that you will have much different results. Brute force attacks usually will come in faster than: max-src-conn 5, max-src-conn-rate 15/30 which in it self is a little restrictive but works out in quite a few instances where I have implemented this same functionality. Good Luck, - -- jhell -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJNUiWuAAoJEJBXh4mJ2FR+gSUH/RI4ZR6XZ9alGRIBDuN6zj7j F+9h/usJiLIRNrDZHG7NHxZiFKDiof9nVsvWR3Ho6QLwsZri7+kihY+i/21rBGMw DclEO0CcnnGu7rkQflPQ0q3DTGJRh7kR+k7gnGH8udQHhoZOx1WVs46Md0W231S/ 2tqKNYkANAeZewDmprF/smrg4GS2tKuiAzvVu4lgCPvzifn1DXPl4iWmJuAyL84W oY/4m9ax8Rwy6q1IZNS1L+z5evSGMaxGUP+IeXWr/PgCoDm5VP9B/Nbqwrcb316m SG81/Tuxex5gisCYd3052QsGfuCu8Z18CgPkyssTMHNXd9IIZLBFyw1tPleKTFE= =o9x4 -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 09:13:03 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 975B41065672 for ; Wed, 9 Feb 2011 09:13:03 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 32E3E8FC12 for ; Wed, 9 Feb 2011 09:13:00 +0000 (UTC) Received: by fxm16 with SMTP id 16so7408599fxm.13 for ; Wed, 09 Feb 2011 01:12:59 -0800 (PST) Received: by 10.223.98.197 with SMTP id r5mr5844905fan.68.1297242779577; Wed, 09 Feb 2011 01:12:59 -0800 (PST) Received: from [10.139.5.94] ([92.90.16.21]) by mx.google.com with ESMTPS id 21sm31994fav.41.2011.02.09.01.12.55 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 09 Feb 2011 01:12:58 -0800 (PST) References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> In-Reply-To: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> Mime-Version: 1.0 (iPhone Mail 8A293) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <0F70CC90-40EC-4501-9B7D-6E13D38CC231@my.gd> X-Mailer: iPhone Mail (8A293) From: Damien Fleuriot Date: Wed, 9 Feb 2011 10:12:38 +0100 To: Helmut Schneider Cc: "" Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 09:13:03 -0000 I didn't see anything the author posted to indicate that his abusive hosts t= able was being populated. @OP: install sshguard from the ports --- Fleuriot Damien On 8 Feb 2011, at 23:26, "Helmut Schneider" wrote: >> Could somebody help in figuring out why PF configuration meant to prevent= brutal SSH attacks doesn't work. >=20 > Check your pflog. The ruleset itself seems fine (if it is complete and you= did not forget to post a vital part). We also can assume that pf is enabled= , can we?=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 10:00:22 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9110106566B for ; Wed, 9 Feb 2011 10:00:21 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id DA4F58FC0A for ; Wed, 9 Feb 2011 10:00:19 +0000 (UTC) Received: by bwz12 with SMTP id 12so723104bwz.13 for ; Wed, 09 Feb 2011 02:00:18 -0800 (PST) Received: by 10.204.51.145 with SMTP id d17mr1274939bkg.24.1297245618552; Wed, 09 Feb 2011 02:00:18 -0800 (PST) Received: from dfleuriot.local ([83.167.62.196]) by mx.google.com with ESMTPS id a17sm82587bku.23.2011.02.09.02.00.16 (version=SSLv3 cipher=RC4-MD5); Wed, 09 Feb 2011 02:00:17 -0800 (PST) Message-ID: <4D5265AF.4060600@my.gd> Date: Wed, 09 Feb 2011 11:00:15 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4D51A061.20704@sentex.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 10:00:22 -0000 Looks like my previous message didn't make it to the list. @OP: nothing indicates that your table is getting populated correctly. While this doesn't address your main issue, you may want to install sshguard which will automatically blacklist attackers and populate a dedicated table. On 2/8/11 11:06 PM, Vadym Chepkov wrote: > > On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote: > >> On 2/8/2011 1:11 PM, Vadym Chepkov wrote: >>> Hi, >>> >>> Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work. >>> >>> Here are the relevant parts: >>> >>> /etc/ssh/sshd_config >>> >>> PasswordAuthentication no >>> MaxAuthTries 1 >>> >>> /etc/pf.conf >>> >>> block in log on $wan_if >>> >>> table persist >>> block drop in quick from >>> >>> pass quick proto tcp to $wan_if port ssh keep state \ >>> (max-src-conn 10, max-src-conn-rate 9/60, overload flush global) >> >> >> On RELENG_7 and 8 I use something like that. Is there a different IP >> they might be connecting to that is not covered under $wan_if? >> > > That would mean this rule doesn't work: > > block in log on $wan_if > > >> >> >> table persist >> table {xx.yy.zz.aa} >> >> >> >> block log all >> block in log quick proto tcp from to any port 22 >> pass in log quick proto tcp from {!} to self port ssh \ >> flags S/SA keep state \ >> (max-src-conn 6, max-src-conn-rate 3/30, \ >> overload flush global) >> pass in log inet proto tcp from to self port ssh keep state >> > > I don't have "trusted" outside IPs, other then that your config seems the same, except mine suppose to be more strict - just one IP instead of "self". > By the way, wouldn't using "self" allow incoming packets to 127.0.0.1? > > Vadym > > >> >> >> ---Mike >> >> >> -- >> ------------------- >> Mike Tancsa, tel +1 519 651 3400 >> Sentex Communications, mike@sentex.net >> Providing Internet services since 1994 www.sentex.net >> Cambridge, Ontario Canada http://www.tancsa.com/ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 18:51:18 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F928106566C for ; Wed, 9 Feb 2011 18:51:18 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id D03D98FC17 for ; Wed, 9 Feb 2011 18:51:17 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p19IpIYj005665 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 9 Feb 2011 19:51:18 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p19IpIix025823; Wed, 9 Feb 2011 19:51:18 +0100 (MET) Date: Wed, 9 Feb 2011 19:51:18 +0100 From: Daniel Hartmeier To: Vadym Chepkov Message-ID: <20110209185118.GA16942@insomnia.benzedrine.cx> References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 18:51:18 -0000 On Tue, Feb 08, 2011 at 08:07:52PM -0500, Vadym Chepkov wrote: > No idea, why it didn't stop after 9 attempts. The connection rate is not calculated precisely, from pf.conf(5) max-src-conn-rate / Limit the rate of new connections over a time interval. The con- nection rate is an approximation calculated as a moving average. There is a counter, and a last-update-time. When the first connection matches, the counter starts at zero, and the time (one second resolution) is noted. Whenever a subsequent connection matches, the following happens: 1) if the last-update-time is further back than (60, in your case), the counter is reset to zero. 2) otherwise, the counter is reduced relative to how much time has passed since last-update-time (i.e. the counter is multiplied by (now - last-update-time) / 3) the counter is incremented by 1000 When the counter exceeds 1000 * (9, in your case), the max-src-conn-rate is triggered. This works reasonably well in many cases, but may be quite inprecise, especially when is much smaller than . You could try max-src-conn-rate 2/5 instead. The details can be found in pf.c, see http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c?rev=HEAD The reason this was chosen over a more precise algorithm is that this is very cheap CPU-wise and requires only a minimal amount of memory. Regards, Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 20:55:51 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 885A41065675 for ; Wed, 9 Feb 2011 20:55:51 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 32AD78FC19 for ; Wed, 9 Feb 2011 20:55:50 +0000 (UTC) Received: by qwj9 with SMTP id 9so467113qwj.13 for ; Wed, 09 Feb 2011 12:55:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=g1MYWj8REZtk6u57tOI9kbeC/8NWTMPH97SojVwQa1o=; b=UIDDDkJxb8FVc0T5SLPeajtj4SNqlqeumPdxRB/0wj1CGi9PvIFpE2mT3Owhhfiom4 TEkGh44mUU1KeyQ42kxOAi+9iLPnZdIUq/dT1bOkjhsMiHne4abfJ6ousr8//aZtVVvN Pzfolk3wOJaLKK+c0+aycRzbRBkeA7iGIGG5E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=HIYx7L+siu0PTA3XQf92M4NUv5x2hhFdmtvJpftBvaTpIvSPvp8mH7hH6D5h8omaKu ntghUXuL+MuparNuQ/LGfN6/MNZZLxkPBRKzdK5y3iHwVHpmt54FuyuIMxgexRTctyor FqrSHoAo7ls4YyL69fM7AXsOtm8eX502TtnmI= Received: by 10.229.181.75 with SMTP id bx11mr5661791qcb.74.1297284943972; Wed, 09 Feb 2011 12:55:43 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id q12sm453432qcu.6.2011.02.09.12.55.43 (version=SSLv3 cipher=RC4-MD5); Wed, 09 Feb 2011 12:55:43 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <20110209185118.GA16942@insomnia.benzedrine.cx> Date: Wed, 9 Feb 2011 15:55:42 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <20110209185118.GA16942@insomnia.benzedrine.cx> To: Daniel Hartmeier X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 20:55:51 -0000 On Feb 9, 2011, at 1:51 PM, Daniel Hartmeier wrote: > On Tue, Feb 08, 2011 at 08:07:52PM -0500, Vadym Chepkov wrote: >=20 >> No idea, why it didn't stop after 9 attempts. >=20 > The connection rate is not calculated precisely, from pf.conf(5) >=20 > max-src-conn-rate / > Limit the rate of new connections over a time interval. The = con- > nection rate is an approximation calculated as a moving = average. >=20 > There is a counter, and a last-update-time. >=20 > When the first connection matches, the counter starts at zero, and the > time (one second resolution) is noted. >=20 > Whenever a subsequent connection matches, the following happens: >=20 > 1) if the last-update-time is further back than (60, in = your > case), the counter is reset to zero. > 2) otherwise, the counter is reduced relative to how much time has > passed since last-update-time (i.e. the counter is multiplied by > (now - last-update-time) / > 3) the counter is incremented by 1000 >=20 > When the counter exceeds 1000 * (9, in your case), the > max-src-conn-rate is triggered. >=20 > This works reasonably well in many cases, but may be quite inprecise, > especially when is much smaller than . >=20 > You could try max-src-conn-rate 2/5 instead. >=20 Wouldn't it be dangerous to reduce it this drastically? I can lock out = myself. I don't think it's uncommon to try to open 3 connections at the same = time, especially in NAT environment. I would increase "number", but it will negate the rule. Here is an example of an actual intruder: Feb 8 11:27:01 castor sshd[57304]: Invalid user ariane from = 113.185.0.16 Feb 8 11:27:04 castor sshd[57306]: Invalid user armand from = 113.185.0.16 Feb 8 11:27:08 castor sshd[57308]: Invalid user armande from = 113.185.0.16 Feb 8 11:27:11 castor sshd[57310]: Invalid user armando from = 113.185.0.16 Feb 8 11:27:15 castor sshd[57312]: Invalid user armani from = 113.185.0.16 Feb 8 11:27:18 castor sshd[57314]: Invalid user arnie from 113.185.0.16 Feb 8 11:27:22 castor sshd[57316]: Invalid user arne from 113.185.0.16 Feb 8 11:27:25 castor sshd[57318]: Invalid user arnold from = 113.185.0.16 Feb 8 11:27:29 castor sshd[57320]: Invalid user art from 113.185.0.16 Feb 8 11:27:33 castor sshd[57322]: Invalid user arthur from = 113.185.0.16 Feb 8 11:27:36 castor sshd[57324]: Invalid user artie from 113.185.0.16 Feb 8 11:27:47 castor sshd[57326]: Invalid user arty from 113.185.0.16 Feb 8 11:27:50 castor sshd[57328]: Invalid user asha from 113.185.0.16 Feb 8 11:27:54 castor sshd[57330]: Invalid user asher from 113.185.0.16 Feb 8 11:27:57 castor sshd[57332]: Invalid user ashley from = 113.185.0.16 Feb 8 11:28:01 castor sshd[57334]: Invalid user ashton from = 113.185.0.16 That's 16 packets in 60 seconds. 2/5 wouldn't caught him either - 7 seconds between 3 packets And I would be fine if just 3-4 packets exceeded the threshold, if it's = not precise. But it doesn't stop him at all, that what puzzles me # bzgrep 113.185.0.16 /var/log/auth.log.0.bz2 | wc -l 939 # pfctl -t abusive_hosts -T show=20 46.23.72.63 69.162.99.220 79.136.100.188 93.174.31.134 109.169.21.37 188.127.244.107 200.24.219.198 221.133.41.170 221.238.253.85 222.186.37.205 some do caught, as you can see, but I still see every day those that = avoid the trap Thanks, Vadym > The details can be found in pf.c, see >=20 > = http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c?rev=3DHE= AD >=20 > The reason this was chosen over a more precise algorithm is that this = is > very cheap CPU-wise and requires only a minimal amount of memory. >=20 > Regards, > Daniel From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 21:00:45 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2CD00106564A for ; Wed, 9 Feb 2011 21:00:45 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id D03558FC0C for ; Wed, 9 Feb 2011 21:00:44 +0000 (UTC) Received: by qwj9 with SMTP id 9so470197qwj.13 for ; Wed, 09 Feb 2011 13:00:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=q2p/pt1AJqvqluD9UePypTy2dnH/UYBisDcmemJf3KY=; b=eDM/NrrxvqWgsQVDbLmzr47LXC2di0YIvpuTGnkB0tNxpJop4II8xG6KB8AREwQOmN JjcEToZdHrfi+grsXitSbgTPOesUGvhbtAGp0ODv6+Oh88mY3wjOeC43bltFfI06jaw+ RQ1SYe6X2JcqquS8gyRbeHAFugjnlJGp7F5PM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=G9JQMJeDzkz3VdFZdhIQBP7s45mpdT+SkZxeNHadl56ilwx91/zd1p+SSWLkgxWEX6 FSYAWn8A+QfnSPru+04VjXvxyjSTjZlo0OPjT9fzZNMXTBgstdlmH5JT83GJIepCMrLd Xd7j16mqmiqjtKD03hfHTwHERBbsz8Or7XnF8= Received: by 10.229.84.137 with SMTP id j9mr15308049qcl.214.1297285243725; Wed, 09 Feb 2011 13:00:43 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id l12sm449489qcu.31.2011.02.09.13.00.42 (version=SSLv3 cipher=RC4-MD5); Wed, 09 Feb 2011 13:00:43 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <4D5265AF.4060600@my.gd> Date: Wed, 9 Feb 2011 16:00:42 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D51A061.20704@sentex.net> <4D5265AF.4060600@my.gd> To: Damien Fleuriot X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 21:00:45 -0000 On Feb 9, 2011, at 5:00 AM, Damien Fleuriot wrote: > Looks like my previous message didn't make it to the list. >=20 >=20 > @OP: nothing indicates that your table is getting populated correctly. >=20 > While this doesn't address your main issue, you may want to install > sshguard which will automatically blacklist attackers and populate a > dedicated table. >=20 Thanks for the suggestion, but as you said, it's a workaround.=20 I'd rather try to understand why something that suppose to work, does = not. Because this is something I have visibility to. What if something else = doesn't work as expected and I blindly trust it?=20 Vadym >=20 > On 2/8/11 11:06 PM, Vadym Chepkov wrote: >>=20 >> On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote: >>=20 >>> On 2/8/2011 1:11 PM, Vadym Chepkov wrote: >>>> Hi, >>>>=20 >>>> Could somebody help in figuring out why PF configuration meant to = prevent brutal SSH attacks doesn't work. >>>>=20 >>>> Here are the relevant parts: >>>>=20 >>>> /etc/ssh/sshd_config >>>>=20 >>>> PasswordAuthentication no >>>> MaxAuthTries 1 >>>>=20 >>>> /etc/pf.conf >>>>=20 >>>> block in log on $wan_if >>>>=20 >>>> table persist >>>> block drop in quick from >>>>=20 >>>> pass quick proto tcp to $wan_if port ssh keep state \ >>>> (max-src-conn 10, max-src-conn-rate 9/60, overload = flush global) >>>=20 >>>=20 >>> On RELENG_7 and 8 I use something like that. Is there a different = IP >>> they might be connecting to that is not covered under $wan_if? >>>=20 >>=20 >> That would mean this rule doesn't work: >>=20 >> block in log on $wan_if >>=20 >>=20 >>>=20 >>>=20 >>> table persist >>> table {xx.yy.zz.aa} >>>=20 >>>=20 >>>=20 >>> block log all >>> block in log quick proto tcp from to any port 22 >>> pass in log quick proto tcp from {!} to self port ssh \ >>> flags S/SA keep state \ >>> (max-src-conn 6, max-src-conn-rate 3/30, \ >>> overload flush global) >>> pass in log inet proto tcp from to self port ssh keep = state >>>=20 >>=20 >> I don't have "trusted" outside IPs, other then that your config seems = the same, except mine suppose to be more strict - just one IP instead of = "self". >> By the way, wouldn't using "self" allow incoming packets to = 127.0.0.1? >>=20 >> Vadym >>=20 >>=20 >>>=20 >>>=20 >>> ---Mike >>>=20 >>>=20 >>> --=20 >>> ------------------- >>> Mike Tancsa, tel +1 519 651 3400 >>> Sentex Communications, mike@sentex.net >>> Providing Internet services since 1994 www.sentex.net >>> Cambridge, Ontario Canada http://www.tancsa.com/ >>=20 >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Thu Feb 10 07:53:01 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 085F41065670 for ; Thu, 10 Feb 2011 07:53:01 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 7AA2B8FC20 for ; Thu, 10 Feb 2011 07:52:59 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p1A7qwvZ029563 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 10 Feb 2011 08:52:58 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p1A7qw23030394; Thu, 10 Feb 2011 08:52:58 +0100 (MET) Date: Thu, 10 Feb 2011 08:52:58 +0100 From: Daniel Hartmeier To: Vadym Chepkov Message-ID: <20110210075258.GB16942@insomnia.benzedrine.cx> References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <20110209185118.GA16942@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 07:53:01 -0000 On Wed, Feb 09, 2011 at 03:55:42PM -0500, Vadym Chepkov wrote: > Feb 8 11:27:01 castor sshd[57304]: Invalid user ariane from 113.185.0.16 count = 1000, last = 01 > Feb 8 11:27:04 castor sshd[57306]: Invalid user armand from 113.185.0.16 diff = 3, count -= 1000 * 3 / 60, += 1000, count = 1950, last = 04 > Feb 8 11:27:08 castor sshd[57308]: Invalid user armande from 113.185.0.16 diff = 4, count -= 1950 * 4 / 60, += 1000, count = 2820, last = 08 > Feb 8 11:27:11 castor sshd[57310]: Invalid user armando from 113.185.0.16 diff = 3, count -= 2820 * 3 / 60, += 1000, count = 3679, last = 11 > Feb 8 11:27:15 castor sshd[57312]: Invalid user armani from 113.185.0.16 diff = 4, count -= 3679 * 4 / 60, += 1000, count = 4434, last = 15 > Feb 8 11:27:18 castor sshd[57314]: Invalid user arnie from 113.185.0.16 diff = 3, count -= 4434 * 3 / 60, += 1000, count = 5213, last = 18 > Feb 8 11:27:22 castor sshd[57316]: Invalid user arne from 113.185.0.16 diff = 4, count -= 5213 * 4 / 60, += 1000, count = 5866, last = 22 > Feb 8 11:27:25 castor sshd[57318]: Invalid user arnold from 113.185.0.16 diff = 3, count -= 5866 * 3 / 60, += 1000, count = 6573, last = 25 > Feb 8 11:27:29 castor sshd[57320]: Invalid user art from 113.185.0.16 diff = 4, count -= 6573 * 4 / 60, += 1000, count = 7135, last = 29 > Feb 8 11:27:33 castor sshd[57322]: Invalid user arthur from 113.185.0.16 diff = 4, count -= 7135 * 4 / 60, += 1000, count = 7660, last = 33 > Feb 8 11:27:36 castor sshd[57324]: Invalid user artie from 113.185.0.16 diff = 3, count -= 7660 * 3 / 60, += 1000, count = 8277, last = 36 > Feb 8 11:27:47 castor sshd[57326]: Invalid user arty from 113.185.0.16 diff = 11, count -= 8277 * 11 / 60, += 1000, count = 7710, last = 47 (this 11 second pause is reducing the rate estimation significantly, if the scanner hadn't paused so long, it would have triggered) > Feb 8 11:27:50 castor sshd[57328]: Invalid user asha from 113.185.0.16 diff = 3, count -= 7710 * 3 / 60, += 1000, count = 8325, last = 50 > Feb 8 11:27:54 castor sshd[57330]: Invalid user asher from 113.185.0.16 diff = 4, count -= 8325 * 4 / 60, += 1000, count = 8770, last = 54 > Feb 8 11:27:57 castor sshd[57332]: Invalid user ashley from 113.185.0.16 diff = 3, count -= 8770 * 3 / 60, += 1000, count = 9332, last = 57 Now count is larger than your limit 9000, and the threshold is triggered, after 15 connections (the 16th is probably due to syslog not showing the precise timestamps). You can re-calculate the steps with 30 (instead of 60), and see how it triggers... Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Feb 10 14:03:35 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 950F1106566C for ; Thu, 10 Feb 2011 14:03:35 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 454118FC08 for ; Thu, 10 Feb 2011 14:03:34 +0000 (UTC) Received: by vxa40 with SMTP id 40so671125vxa.13 for ; Thu, 10 Feb 2011 06:03:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=AWzoTlUGuGfWeQf//2I6uh6jV4hL/SuAL5p/ibcOyVQ=; b=x/sE8oVgPTZcE4vweBTgom6ofro4shOPNaXgaiaBU6C2enhixvcIAMVO+CiTlBrYja 5VVK2rbsEpy2Z+KQ6hm6SOw9FUZqKtjT1fAnV0i91yEMLgvDLN9XVF1juMrdCd1if6e4 kvMdB8CnEmOMwVXOkJG8q5sJqjU6rL+xvUVBM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=qBN1B/vnyqezvDoSskmZYLLUZ+CtpTEhAeIHB4V0TutuVvoKR6aVeqBM3bU3pG0ZLV fckhEq6apA7CKmD3/7WSxs8RYzxEyP5XDliF0mtZmBVKrgmZr2hztIUO9DChkRLjKwpM fkDAlRwZIs0Po6yMb3XoGXgCk6RMNxtGR29tk= Received: by 10.220.90.146 with SMTP id i18mr5445870vcm.226.1297346614438; Thu, 10 Feb 2011 06:03:34 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id n13sm21592vcr.41.2011.02.10.06.03.33 (version=SSLv3 cipher=OTHER); Thu, 10 Feb 2011 06:03:33 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <20110210075258.GB16942@insomnia.benzedrine.cx> Date: Thu, 10 Feb 2011 09:03:32 -0500 Content-Transfer-Encoding: 7bit Message-Id: <94DFDF09-6C43-4A4D-B76A-FDFBF7C588B6@gmail.com> References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <20110209185118.GA16942@insomnia.benzedrine.cx> <20110210075258.GB16942@insomnia.benzedrine.cx> To: Daniel Hartmeier X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 14:03:35 -0000 On Feb 10, 2011, at 2:52 AM, Daniel Hartmeier wrote: > >> Feb 8 11:27:57 castor sshd[57332]: Invalid user ashley from 113.185.0.16 > > diff = 3, count -= 8770 * 3 / 60, += 1000, count = 9332, last = 57 > > Now count is larger than your limit 9000, and the threshold is > triggered, after 15 connections (the 16th is probably due to syslog > not showing the precise timestamps). Except it didn't :( I just gave a simple of one minute interval. I didn't want to post all entries to the list: # bzgrep 113.185.0.16 /var/log/auth.log.0.bz2 | wc -l 939 Vadym > > You can re-calculate the steps with 30 (instead of 60), > and see how it triggers... > > Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Feb 10 14:09:26 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67C18106566B for ; Thu, 10 Feb 2011 14:09:26 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id EF0A98FC13 for ; Thu, 10 Feb 2011 14:09:25 +0000 (UTC) Received: by bwz12 with SMTP id 12so2040414bwz.13 for ; Thu, 10 Feb 2011 06:09:24 -0800 (PST) Received: by 10.204.57.13 with SMTP id a13mr1795137bkh.75.1297346964621; Thu, 10 Feb 2011 06:09:24 -0800 (PST) Received: from dfleuriot.local ([83.167.62.196]) by mx.google.com with ESMTPS id z18sm32664bkf.8.2011.02.10.06.09.23 (version=SSLv3 cipher=OTHER); Thu, 10 Feb 2011 06:09:23 -0800 (PST) Message-ID: <4D53F192.2070004@my.gd> Date: Thu, 10 Feb 2011 15:09:22 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Vadym Chepkov References: <4D51A061.20704@sentex.net> <4D5265AF.4060600@my.gd> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 14:09:26 -0000 On 2/9/11 10:00 PM, Vadym Chepkov wrote: > > > On Feb 9, 2011, at 5:00 AM, Damien Fleuriot wrote: > >> Looks like my previous message didn't make it to the list. >> >> >> @OP: nothing indicates that your table is getting populated correctly. >> >> While this doesn't address your main issue, you may want to install >> sshguard which will automatically blacklist attackers and populate a >> dedicated table. >> > > > Thanks for the suggestion, but as you said, it's a workaround. > I'd rather try to understand why something that suppose to work, does not. > Because this is something I have visibility to. What if something else doesn't work as expected and I blindly trust it? > > Vadym > >From one of your other messages in the thread, you seem to be afraid of lowering the PF limits too much that it would blacklist you too. With sshguard you could whitelist your own IPs, while configuring it to blacklist people after 5 failed attempts in a minute for example. That would achieve what you want to do here with the overload directive. From owner-freebsd-pf@FreeBSD.ORG Thu Feb 10 14:13:14 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 584CC1065673 for ; Thu, 10 Feb 2011 14:13:14 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id E282B8FC19 for ; Thu, 10 Feb 2011 14:13:13 +0000 (UTC) Received: by bwz12 with SMTP id 12so2043725bwz.13 for ; Thu, 10 Feb 2011 06:13:12 -0800 (PST) Received: by 10.204.22.10 with SMTP id l10mr487643bkb.49.1297347192591; Thu, 10 Feb 2011 06:13:12 -0800 (PST) Received: from dfleuriot.local ([83.167.62.196]) by mx.google.com with ESMTPS id v25sm31269bkt.18.2011.02.10.06.13.11 (version=SSLv3 cipher=OTHER); Thu, 10 Feb 2011 06:13:11 -0800 (PST) Message-ID: <4D53F276.5040006@my.gd> Date: Thu, 10 Feb 2011 15:13:10 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4D51A061.20704@sentex.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 14:13:14 -0000 On 2/8/11 11:06 PM, Vadym Chepkov wrote: > > On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote: > >> On 2/8/2011 1:11 PM, Vadym Chepkov wrote: >>> Hi, >>> >>> Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work. >>> >>> Here are the relevant parts: >>> >>> /etc/ssh/sshd_config >>> >>> PasswordAuthentication no >>> MaxAuthTries 1 >>> >>> /etc/pf.conf >>> >>> block in log on $wan_if >>> >>> table persist >>> block drop in quick from >>> >>> pass quick proto tcp to $wan_if port ssh keep state \ >>> (max-src-conn 10, max-src-conn-rate 9/60, overload flush global) >> >> >> On RELENG_7 and 8 I use something like that. Is there a different IP >> they might be connecting to that is not covered under $wan_if? >> > > That would mean this rule doesn't work: > > block in log on $wan_if > > No it wouldn't. Your "block in log on $wan_if" rule is not quick, which means the ruleset evaluation continues. If another rule further down matches (the pass in quick for instance) then it is applied instead. normal rules: last match is applied to the packet quick rules: first match is applied and ruleset evaluation ends On a side note, I think you are under no obligation to add the "keep state" bit to the rule. Rules default to "keep state flags S/SA". From owner-freebsd-pf@FreeBSD.ORG Thu Feb 10 15:30:29 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA18E106564A for ; Thu, 10 Feb 2011 15:30:29 +0000 (UTC) (envelope-from Daniel.Hartmeier@swisscom.com) Received: from mail.swisscom.com (outmail100.swisscom.com [193.222.81.100]) by mx1.freebsd.org (Postfix) with ESMTP id 4F4448FC1A for ; Thu, 10 Feb 2011 15:30:28 +0000 (UTC) Received: by intmail1.corproot.net; Thu, 10 Feb 2011 15:56:58 +0100 From: To: Date: Thu, 10 Feb 2011 15:56:56 +0100 Thread-Topic: brutal SSH attacks Thread-Index: AcvJK1q74TwAqrznRz2C5wmZPYn8RQAAlaFQ Message-ID: References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <20110209185118.GA16942@insomnia.benzedrine.cx> <20110210075258.GB16942@insomnia.benzedrine.cx> <94DFDF09-6C43-4A4D-B76A-FDFBF7C588B6@gmail.com> In-Reply-To: <94DFDF09-6C43-4A4D-B76A-FDFBF7C588B6@gmail.com> Accept-Language: de-DE, de-CH Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, de-CH Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: freebsd-pf@freebsd.org Subject: RE: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 15:30:29 -0000 Ah, so I guess this does deserve some further debugging :) First, make sure those connections are matching the expected rule: Watch an ongoing scan, note the scanner's IP. Run # pfctl -vvss | grep -A 2 Note the rule number printed right-most in every third line, and compare th= em to the output of # pfctl -gsr i.e. for each state entry, find the rule with the corresponding rule number= (the left-most @nr). Is it always the same rule, and does it have max-src-conn-rate/overload? Th= is should also be the same rule number shown for pflog (e.g. "rule 5/0(match)"). Second, verify that the source node is being tracked: # pfctl -vvsS | grep -A 1 -> 0.0.0.0 ( states 8, connections 8, rate 7.9/60s ) age 00:00:01, 72 pkts, 9384 bytes, filter rule 105 If it's found, how does it change as the scan progresses? If it's not found, check if you're hitting the limit of source nodes: # pfctl -sS | wc -l 9025 # pfctl -sm src-nodes hard limit 10000 (it can be increased in pf.conf with set limit src-nodes ) Third, exclude the possibility that it did get added to the table, but some= how got removed again: If you watch an ongoing scan, see the source tracking node getting updated = to the limit, and then check # pfctl -t abusive_hosts -vvTt do you get a match? Are you running anything manually or through cron that might manipulate or = flush the table, like a (often superfluous) pfctl -Fa when reloading the ruleset? Regards, Daniel From owner-freebsd-pf@FreeBSD.ORG Thu Feb 10 15:59:19 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C3EE106566C for ; Thu, 10 Feb 2011 15:59:19 +0000 (UTC) (envelope-from cia@mud.ro) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 430728FC0C for ; Thu, 10 Feb 2011 15:59:19 +0000 (UTC) Received: by qyk8 with SMTP id 8so2231882qyk.13 for ; Thu, 10 Feb 2011 07:59:18 -0800 (PST) MIME-Version: 1.0 Received: by 10.229.249.78 with SMTP id mj14mr12763387qcb.25.1297353558390; Thu, 10 Feb 2011 07:59:18 -0800 (PST) Received: by 10.229.9.15 with HTTP; Thu, 10 Feb 2011 07:59:18 -0800 (PST) X-Originating-IP: [188.26.169.15] Date: Thu, 10 Feb 2011 17:59:18 +0200 Message-ID: From: adrian ilarion ciobanu To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: pf user tags: maximum lifespan / accessibility X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 15:59:19 -0000 Hello, My problem: I need to tag packets from both IPFW and PF for later processing by another PFIL filter (let's call it FILTY). I need this because IPFW and PF can be successfully used to some extent to take care of a big part of my packet matching rules and it would be stupid to implement again the same thing in FILTY instead of taking it further from where IPFW/PF left. While IPFW's user-settable tag is later available as mbuf's m_tag_id and I can see it in FILTY, I can't say I can do the same thing with PF's user-settable tag, ofcourse. But I was expecting to find my tag set somewhere (if matched) in the mbuf_tag's payload, besides pf_mtag data. Later I realized that expecting this was an error since pf_mtags were there way before user-settable tags were introduced. IPFW: : user-settable tags are available for later querying from outside IPFW PF: user-settable tags aren't available for later querying from outside PF. Probably there's a good reason for this: could be that it would be hard to do, or just plain stupid or nobody would ever use it. Or its just crazy. Altho filter markers are very handy for passing infos between subsystems but PF want's it only for its own usage. If I am getting something wrong, bang my head and please point me to the right direction. If not, My question: < Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21F1B106566C for ; Fri, 11 Feb 2011 03:39:20 +0000 (UTC) (envelope-from claudiosoft@free.fr) Received: from ml.free.fr (ml-g19.proxad.net [212.27.60.41]) by mx1.freebsd.org (Postfix) with ESMTP id E18168FC0A for ; Fri, 11 Feb 2011 03:39:19 +0000 (UTC) Received: from ml-g19 (localhost [127.0.0.1]) by ml.free.fr (Postfix) with ESMTP id 5CC37C27B6 for ; Fri, 11 Feb 2011 04:21:27 +0100 (CET) Received: from ml-g19 by ml-g19 (LISTAR/0.42); Fri, 11 Feb 2011 04:21:27 +0100 (CET) Date: Fri, 11 Feb 2011 04:21:27 +0100 (CET) From: Listar To: freebsd-pf@freebsd.org Message-ID: X-listar-antiloop: ml-g19 Precedence: list Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Expiry-Date: Sat, 12 Feb 2011 04:21:27 +0100 (CET) Subject: Listar command results: -- Binary/unsupported file stripped by Listar -- X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2011 03:39:20 -0000 Request received for list 'wave.splitter' via request address. >> This message was not delivered due to the following reason(s): Unknown command. >> Your message could not be delivered because the destination server >> was Unknown command. >> not reachable within the allowed queue period. The amount of time Unknown command. >> a message is queued before it is returned depends on local configura- Unknown command. >> tion parameters. Unknown command. >> Most likely there is a network problem that prevented delivery, but Unknown command. >> it is also possible that the computer is turned off, or does not Unknown command. >> have a mail system running right now. Unknown command. >> Your message was not delivered within 5 days: Unknown command. >> Server 213.2.151.11 is not responding. Unknown command. >> The following recipients could not receive this message: Unknown command. >> Unknown command. >> Please reply to postmaster@ml.free.fr Unknown command. >> if you feel this message to be in error. Unknown command. --- Gestionnaire de liste Listar/0.42 - fin de traitement/job execution complete.