Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Feb 2011 15:56:56 +0100
From:      <Daniel.Hartmeier@swisscom.com>
To:        <vchepkov@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   RE: brutal SSH attacks
Message-ID:  <C10F29AB06447B4881FC0DE1E302E2F206FE86AE07@sg000036.corproot.net>
In-Reply-To: <94DFDF09-6C43-4A4D-B76A-FDFBF7C588B6@gmail.com>
References:  <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <A141DF22-E35C-46BD-B88B-D68800812359@gmail.com> <20110209185118.GA16942@insomnia.benzedrine.cx> <FB3E9540-742A-4783-9813-B7DBCD515C7E@gmail.com> <20110210075258.GB16942@insomnia.benzedrine.cx> <94DFDF09-6C43-4A4D-B76A-FDFBF7C588B6@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Ah, so I guess this does deserve some further debugging :)

First, make sure those connections are matching the expected rule:

Watch an ongoing scan, note the scanner's IP. Run

  # pfctl -vvss | grep -A 2 <IP>

Note the rule number printed right-most in every third line, and compare th=
em to the output
of

  # pfctl -gsr

i.e. for each state entry, find the rule with the corresponding rule number=
 (the left-most @nr).
Is it always the same rule, and does it have max-src-conn-rate/overload? Th=
is should also
be the same rule number shown for pflog (e.g. "rule 5/0(match)").

Second, verify that the source node is being tracked:

  # pfctl -vvsS | grep -A 1 <IP>
  <IP> -> 0.0.0.0 ( states 8, connections 8, rate 7.9/60s )
     age 00:00:01, 72 pkts, 9384 bytes, filter rule 105

If it's found, how does it change as the scan progresses?
If it's not found, check if you're hitting the limit of source nodes:

  # pfctl -sS | wc -l
       9025
  # pfctl -sm
  src-nodes     hard limit    10000

(it can be increased in pf.conf with set limit src-nodes <nr>)

Third, exclude the possibility that it did get added to the table, but some=
how got removed again:

If you watch an ongoing scan, see the source tracking node getting updated =
to the limit,
and then check

  # pfctl -t abusive_hosts -vvTt <IP>

do you get a match?

Are you running anything manually or through cron that might manipulate or =
flush the table,
like a (often superfluous) pfctl -Fa when reloading the ruleset?

Regards,
Daniel

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C10F29AB06447B4881FC0DE1E302E2F206FE86AE07>