Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Feb 2011 17:06:49 -0500
From:      Vadym Chepkov <vchepkov@gmail.com>
To:        Mike Tancsa <mike@sentex.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: brutal SSH attacks
Message-ID:  <FFC11535-7638-4FE7-84EC-EED8D9A443BA@gmail.com>
In-Reply-To: <4D51A061.20704@sentex.net>
References:  <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <4D51A061.20704@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote:

> On 2/8/2011 1:11 PM, Vadym Chepkov wrote:
>> Hi,
>> 
>> Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work.
>> 
>> Here are the relevant parts:
>> 
>> /etc/ssh/sshd_config
>> 
>> PasswordAuthentication no
>> MaxAuthTries 1
>> 
>> /etc/pf.conf
>> 
>> block in log on $wan_if
>> 
>> table <abusive_hosts> persist
>> block drop in quick from <abusive_hosts>
>> 
>> pass quick proto tcp to $wan_if port ssh keep state \
>> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush global)
> 
> 
> On RELENG_7 and 8 I use something like that.  Is there a different IP
> they might be connecting to that is not covered under $wan_if?
> 

That would mean this rule doesn't work:

block in log on $wan_if


> 
> 
> table <bruteforce> persist
> table <SSHTRUSTED> {xx.yy.zz.aa}
> 
> 
> 
> block log all
> block in log quick proto tcp from <bruteforce> to any port 22
> pass in log quick proto tcp from {!<SSHTRUSTED>} to self port ssh \
>        flags S/SA keep state \
>        (max-src-conn 6, max-src-conn-rate 3/30, \
>        overload <bruteforce> flush global)
> pass in log inet proto tcp from <SSHTRUSTED> to self port ssh keep state
> 

I don't have "trusted" outside IPs, other then that your config seems the same, except mine suppose to be more strict - just one IP instead of "self".
By the way, wouldn't using "self" allow incoming packets to 127.0.0.1?

Vadym


> 
> 
> 	---Mike
> 
> 
> -- 
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike@sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada   http://www.tancsa.com/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FFC11535-7638-4FE7-84EC-EED8D9A443BA>