From owner-freebsd-pf@FreeBSD.ORG  Tue Feb  8 19:58:33 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DF1211065670
	for <freebsd-pf@freebsd.org>; Tue,  8 Feb 2011 19:58:33 +0000 (UTC)
	(envelope-from mike@sentex.net)
Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca
	[IPv6:2607:f3e0:0:1::12])
	by mx1.freebsd.org (Postfix) with ESMTP id 97CCF8FC08
	for <freebsd-pf@freebsd.org>; Tue,  8 Feb 2011 19:58:33 +0000 (UTC)
Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca
	[IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a])
	by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p18JwVAF083357
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Tue, 8 Feb 2011 14:58:31 -0500 (EST) (envelope-from mike@sentex.net)
Message-ID: <4D51A061.20704@sentex.net>
Date: Tue, 08 Feb 2011 14:58:25 -0500
From: Mike Tancsa <mike@sentex.net>
Organization: Sentex Communications
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
	rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Vadym Chepkov <vchepkov@gmail.com>
References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
In-Reply-To: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.67 on IPv6:2607:f3e0:0:1::12
Cc: freebsd-pf@freebsd.org
Subject: Re: brutal SSH attacks
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Feb 2011 19:58:33 -0000

On 2/8/2011 1:11 PM, Vadym Chepkov wrote:
> Hi,
> 
> Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work.
> 
> Here are the relevant parts:
> 
> /etc/ssh/sshd_config
> 
> PasswordAuthentication no
> MaxAuthTries 1
> 
> /etc/pf.conf
> 
> block in log on $wan_if
> 
> table <abusive_hosts> persist
> block drop in quick from <abusive_hosts>
> 
> pass quick proto tcp to $wan_if port ssh keep state \
> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush global)


On RELENG_7 and 8 I use something like that.  Is there a different IP
they might be connecting to that is not covered under $wan_if?



table <bruteforce> persist
table <SSHTRUSTED> {xx.yy.zz.aa}



block log all
block in log quick proto tcp from <bruteforce> to any port 22
pass in log quick proto tcp from {!<SSHTRUSTED>} to self port ssh \
        flags S/SA keep state \
        (max-src-conn 6, max-src-conn-rate 3/30, \
        overload <bruteforce> flush global)
pass in log inet proto tcp from <SSHTRUSTED> to self port ssh keep state



	---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/