From owner-freebsd-pf@FreeBSD.ORG Tue Feb 8 22:06:53 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AC33106566C for ; Tue, 8 Feb 2011 22:06:53 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id DDD3A8FC08 for ; Tue, 8 Feb 2011 22:06:52 +0000 (UTC) Received: by qwj9 with SMTP id 9so4594750qwj.13 for ; Tue, 08 Feb 2011 14:06:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=TB2ShZS6WnmsiKw+xb1m7e/sPAX7GFkRoiZEM8CbT+w=; b=dmDtpvQMBi4y0FQQmFd2u9NyegoSaZpaySLCTeAOTUAqs5FzmWBcxED9TtCvaWsc4S dyXX+YksuxNBVovRNQUdvJUBs1eFgy75sLwEr3yE8POzseXxhEWWWKxWAaZiEhKIHqVR ojYQC6K3gm9HJVlJsVuWJAbwdTFd7obJKdn4M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=egXFh1ur2IFrghTXuVKwuIawnZVPA0F0AHbSoBw7QiLNth3cGhnlFs/IwQvbwjsdXx xFEOPbhwcdBRnn3Nagmp2DaE6FxdHkaz1T9nZdlELjdbLGdOnTfbj9NyXBf3OP+rmzJO gfy5rGHMBFMGNxh3O0q1B2jS1fyLy2yhmCrgE= Received: by 10.229.224.73 with SMTP id in9mr996012qcb.254.1297202810917; Tue, 08 Feb 2011 14:06:50 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id t7sm3989960qcs.40.2011.02.08.14.06.50 (version=SSLv3 cipher=RC4-MD5); Tue, 08 Feb 2011 14:06:50 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <4D51A061.20704@sentex.net> Date: Tue, 8 Feb 2011 17:06:49 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D51A061.20704@sentex.net> To: Mike Tancsa X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2011 22:06:53 -0000 On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote: > On 2/8/2011 1:11 PM, Vadym Chepkov wrote: >> Hi, >>=20 >> Could somebody help in figuring out why PF configuration meant to = prevent brutal SSH attacks doesn't work. >>=20 >> Here are the relevant parts: >>=20 >> /etc/ssh/sshd_config >>=20 >> PasswordAuthentication no >> MaxAuthTries 1 >>=20 >> /etc/pf.conf >>=20 >> block in log on $wan_if >>=20 >> table persist >> block drop in quick from >>=20 >> pass quick proto tcp to $wan_if port ssh keep state \ >> (max-src-conn 10, max-src-conn-rate 9/60, overload = flush global) >=20 >=20 > On RELENG_7 and 8 I use something like that. Is there a different IP > they might be connecting to that is not covered under $wan_if? >=20 That would mean this rule doesn't work: block in log on $wan_if >=20 >=20 > table persist > table {xx.yy.zz.aa} >=20 >=20 >=20 > block log all > block in log quick proto tcp from to any port 22 > pass in log quick proto tcp from {!} to self port ssh \ > flags S/SA keep state \ > (max-src-conn 6, max-src-conn-rate 3/30, \ > overload flush global) > pass in log inet proto tcp from to self port ssh keep = state >=20 I don't have "trusted" outside IPs, other then that your config seems = the same, except mine suppose to be more strict - just one IP instead of = "self". By the way, wouldn't using "self" allow incoming packets to 127.0.0.1? Vadym >=20 >=20 > ---Mike >=20 >=20 > --=20 > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/