From owner-freebsd-pf@FreeBSD.ORG Thu Feb 10 14:03:35 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 950F1106566C for ; Thu, 10 Feb 2011 14:03:35 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 454118FC08 for ; Thu, 10 Feb 2011 14:03:34 +0000 (UTC) Received: by vxa40 with SMTP id 40so671125vxa.13 for ; Thu, 10 Feb 2011 06:03:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=AWzoTlUGuGfWeQf//2I6uh6jV4hL/SuAL5p/ibcOyVQ=; b=x/sE8oVgPTZcE4vweBTgom6ofro4shOPNaXgaiaBU6C2enhixvcIAMVO+CiTlBrYja 5VVK2rbsEpy2Z+KQ6hm6SOw9FUZqKtjT1fAnV0i91yEMLgvDLN9XVF1juMrdCd1if6e4 kvMdB8CnEmOMwVXOkJG8q5sJqjU6rL+xvUVBM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=qBN1B/vnyqezvDoSskmZYLLUZ+CtpTEhAeIHB4V0TutuVvoKR6aVeqBM3bU3pG0ZLV fckhEq6apA7CKmD3/7WSxs8RYzxEyP5XDliF0mtZmBVKrgmZr2hztIUO9DChkRLjKwpM fkDAlRwZIs0Po6yMb3XoGXgCk6RMNxtGR29tk= Received: by 10.220.90.146 with SMTP id i18mr5445870vcm.226.1297346614438; Thu, 10 Feb 2011 06:03:34 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id n13sm21592vcr.41.2011.02.10.06.03.33 (version=SSLv3 cipher=OTHER); Thu, 10 Feb 2011 06:03:33 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <20110210075258.GB16942@insomnia.benzedrine.cx> Date: Thu, 10 Feb 2011 09:03:32 -0500 Content-Transfer-Encoding: 7bit Message-Id: <94DFDF09-6C43-4A4D-B76A-FDFBF7C588B6@gmail.com> References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <20110209185118.GA16942@insomnia.benzedrine.cx> <20110210075258.GB16942@insomnia.benzedrine.cx> To: Daniel Hartmeier X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2011 14:03:35 -0000 On Feb 10, 2011, at 2:52 AM, Daniel Hartmeier wrote: > >> Feb 8 11:27:57 castor sshd[57332]: Invalid user ashley from 113.185.0.16 > > diff = 3, count -= 8770 * 3 / 60, += 1000, count = 9332, last = 57 > > Now count is larger than your limit 9000, and the threshold is > triggered, after 15 connections (the 16th is probably due to syslog > not showing the precise timestamps). Except it didn't :( I just gave a simple of one minute interval. I didn't want to post all entries to the list: # bzgrep 113.185.0.16 /var/log/auth.log.0.bz2 | wc -l 939 Vadym > > You can re-calculate the steps with 30 (instead of 60), > and see how it triggers... > > Daniel