From owner-freebsd-pf@FreeBSD.ORG Sun Dec 6 09:19:14 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 314D91065672 for ; Sun, 6 Dec 2009 09:19:14 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe7.ukr.net (ffe7.ukr.net [195.214.192.26]) by mx1.freebsd.org (Postfix) with ESMTP id BBFCC8FC08 for ; Sun, 6 Dec 2009 09:19:13 +0000 (UTC) Received: from mail by ffe7.ukr.net with local ID 1NHDGp-000JaE-OD ; Sun, 06 Dec 2009 11:19:11 +0200 MIME-Version: 1.0 To: Nico De Dobbeleer From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.6.1-current X-Originating-Ip: [194.0.148.10] In-Reply-To: <6783768.102251260022192330.JavaMail.root@zimbra-store> X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Message-Id: Date: Sun, 06 Dec 2009 11:19:11 +0200 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Limit connections doens't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Dec 2009 09:19:14 -0000 --- Original Message --- From: Nico De Dobbeleer To: freebsd-pf@freebsd.org Date: 5 december, 16:09:52 Subject: Limit connections doens't work Hello, As most of the public ip's my servers are constantly under bruteforce attack see example: Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2 Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226 Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2 Dec 5 13:56:41 hosting sshd[18625]: Invalid user support from 173.10.126.226 Dec 5 13:56:43 hosting sshd[18625]: Failed password for invalid user support from 173.10.126.226 port 48676 ssh2 Dec 5 13:56:47 hosting sshd[18627]: Invalid user jnanchito from 173.10.126.226 Dec 5 13:56:50 hosting sshd[18627]: Failed password for invalid user jnanchito from 173.10.126.226 port 49122 ssh2 Dec 5 13:56:51 hosting sshd[18629]: Invalid user rtorres from 173.10.126.226 Dec 5 13:56:53 hosting sshd[18629]: Failed password for invalid user rtorres from 173.10.126.226 port 49872 ssh2 Dec 5 13:56:55 hosting sshd[18631]: Invalid user jatema from 173.10.126.226 Dec 5 13:56:57 hosting sshd[18631]: Failed password for invalid user jatema from 173.10.126.226 port 50293 ssh2 Dec 5 13:57:01 hosting sshd[18633]: Failed password for invalid user root from 173.10.126.226 port 50702 ssh2 Dec 5 13:57:04 hosting sshd[18635]: Failed password for invalid user root from 173.10.126.226 port 51154 ssh2 Dec 5 13:57:06 hosting sshd[18637]: Invalid user boss from 173.10.126.226 Dec 5 13:57:08 hosting sshd[18637]: Failed password for invalid user boss from 173.10.126.226 port 51507 ssh2 Dec 5 13:57:09 hosting sshd[18639]: Invalid user sasha from 173.10.126.226 Dec 5 13:57:11 hosting sshd[18639]: Failed password for invalid user sasha from 173.10.126.226 port 51929 ssh2 Dec 5 13:57:13 hosting sshd[18641]: Invalid user vic from 173.10.126.226 Dec 5 13:57:14 hosting sshd[18641]: Failed password for invalid user vic from 173.10.126.226 port 52321 ssh2 Dec 5 13:57:16 hosting sshd[18643]: Invalid user ranjith from 173.10.126.226 Dec 5 13:57:18 hosting sshd[18643]: Failed password for invalid user ranjith from 173.10.126.226 port 52650 ssh2 Dec 5 13:57:21 hosting sshd[18645]: Failed password for invalid user root from 173.10.126.226 port 53087 ssh2 Dec 5 13:57:25 hosting sshd[18647]: Failed password for invalid user root from 173.10.126.226 port 53447 ssh2 Dec 5 13:57:29 hosting sshd[18649]: Failed password for invalid user root from 173.10.126.226 port 53852 ssh2 Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that. ------------------------------------------------------------------------------------------------------------------ #Tables table persist file "/etc/pf.abusive_ips.block.list" table persist # Rules block quick from block quick from # Limit connections per IP pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) -------------------------------------------------------------------------------------------------------------------- The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the table. Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15? With kind regards, Nico De Dobbeleer _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"     I think you should specify source-track rule (rule or lobal) in your rulesLike this: pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max 10, source-track rule, max-src-conn 10, max-src-conn-rate 3/15, overload flush) See in PF FAQ Stateful Tracking Options.