Date: Tue, 08 Feb 2011 14:58:25 -0500 From: Mike Tancsa <mike@sentex.net> To: Vadym Chepkov <vchepkov@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks Message-ID: <4D51A061.20704@sentex.net> In-Reply-To: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/8/2011 1:11 PM, Vadym Chepkov wrote:
> Hi,
>
> Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work.
>
> Here are the relevant parts:
>
> /etc/ssh/sshd_config
>
> PasswordAuthentication no
> MaxAuthTries 1
>
> /etc/pf.conf
>
> block in log on $wan_if
>
> table <abusive_hosts> persist
> block drop in quick from <abusive_hosts>
>
> pass quick proto tcp to $wan_if port ssh keep state \
> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush global)
On RELENG_7 and 8 I use something like that. Is there a different IP
they might be connecting to that is not covered under $wan_if?
table <bruteforce> persist
table <SSHTRUSTED> {xx.yy.zz.aa}
block log all
block in log quick proto tcp from <bruteforce> to any port 22
pass in log quick proto tcp from {!<SSHTRUSTED>} to self port ssh \
flags S/SA keep state \
(max-src-conn 6, max-src-conn-rate 3/30, \
overload <bruteforce> flush global)
pass in log inet proto tcp from <SSHTRUSTED> to self port ssh keep state
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D51A061.20704>