From owner-freebsd-pf@FreeBSD.ORG  Thu Feb 10 15:30:29 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BA18E106564A
	for <freebsd-pf@freebsd.org>; Thu, 10 Feb 2011 15:30:29 +0000 (UTC)
	(envelope-from Daniel.Hartmeier@swisscom.com)
Received: from mail.swisscom.com (outmail100.swisscom.com [193.222.81.100])
	by mx1.freebsd.org (Postfix) with ESMTP id 4F4448FC1A
	for <freebsd-pf@freebsd.org>; Thu, 10 Feb 2011 15:30:28 +0000 (UTC)
Received: by intmail1.corproot.net; Thu, 10 Feb 2011 15:56:58 +0100
From: <Daniel.Hartmeier@swisscom.com>
To: <vchepkov@gmail.com>
Date: Thu, 10 Feb 2011 15:56:56 +0100
Thread-Topic: brutal SSH attacks
Thread-Index: AcvJK1q74TwAqrznRz2C5wmZPYn8RQAAlaFQ
Message-ID: <C10F29AB06447B4881FC0DE1E302E2F206FE86AE07@sg000036.corproot.net>
References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
	<5A0B04327C334DA18745BFDBDBECE055@charlieroot.de>
	<A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com>
	<98689EFE59404E4B838E79071AABA8B4@charlieroot.de>
	<56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com>
	<A141DF22-E35C-46BD-B88B-D68800812359@gmail.com>
	<20110209185118.GA16942@insomnia.benzedrine.cx>
	<FB3E9540-742A-4783-9813-B7DBCD515C7E@gmail.com>
	<20110210075258.GB16942@insomnia.benzedrine.cx>
	<94DFDF09-6C43-4A4D-B76A-FDFBF7C588B6@gmail.com>
In-Reply-To: <94DFDF09-6C43-4A4D-B76A-FDFBF7C588B6@gmail.com>
Accept-Language: de-DE, de-CH
Content-Language: de-DE
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: de-DE, de-CH
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: freebsd-pf@freebsd.org
Subject: RE: brutal SSH attacks
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Feb 2011 15:30:29 -0000

Ah, so I guess this does deserve some further debugging :)

First, make sure those connections are matching the expected rule:

Watch an ongoing scan, note the scanner's IP. Run

  # pfctl -vvss | grep -A 2 <IP>

Note the rule number printed right-most in every third line, and compare th=
em to the output
of

  # pfctl -gsr

i.e. for each state entry, find the rule with the corresponding rule number=
 (the left-most @nr).
Is it always the same rule, and does it have max-src-conn-rate/overload? Th=
is should also
be the same rule number shown for pflog (e.g. "rule 5/0(match)").

Second, verify that the source node is being tracked:

  # pfctl -vvsS | grep -A 1 <IP>
  <IP> -> 0.0.0.0 ( states 8, connections 8, rate 7.9/60s )
     age 00:00:01, 72 pkts, 9384 bytes, filter rule 105

If it's found, how does it change as the scan progresses?
If it's not found, check if you're hitting the limit of source nodes:

  # pfctl -sS | wc -l
       9025
  # pfctl -sm
  src-nodes     hard limit    10000

(it can be increased in pf.conf with set limit src-nodes <nr>)

Third, exclude the possibility that it did get added to the table, but some=
how got removed again:

If you watch an ongoing scan, see the source tracking node getting updated =
to the limit,
and then check

  # pfctl -t abusive_hosts -vvTt <IP>

do you get a match?

Are you running anything manually or through cron that might manipulate or =
flush the table,
like a (often superfluous) pfctl -Fa when reloading the ruleset?

Regards,
Daniel