From owner-freebsd-pf@FreeBSD.ORG Tue Nov 17 11:02:01 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E22F0106566C for ; Tue, 17 Nov 2009 11:02:01 +0000 (UTC) (envelope-from sergey.dyatko@gmail.com) Received: from mail-bw0-f220.google.com (mail-bw0-f220.google.com [209.85.218.220]) by mx1.freebsd.org (Postfix) with ESMTP id 718058FC14 for ; Tue, 17 Nov 2009 11:02:00 +0000 (UTC) Received: by bwz20 with SMTP id 20so6748646bwz.14 for ; Tue, 17 Nov 2009 03:02:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:in-reply-to:references:x-mailer:mime-version :content-type:content-transfer-encoding; bh=6NwH8T4ibGQz3sOfn2k2U5fYNW3Hdwe3xo68ZsHeODI=; b=YLPXzaQofE508BNEphLoruX1dNhIVnyRCgkenC9xqueII9Sek637RzROo1sPgm8b60 gzpz7tjzNswRp44euSWk0AqtEt3EJaguXcn+S09gCKIlQQmyIyf8cFfcOHAka4wOirsT D9nWihIgbIy7Iry2IHAg0jZSE5TRJ6xgNUVSg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; b=BJeSJOR/3IOIX2uuF77bqgE473DJK3rYGHvIrQ9pgwdKHvk+lZuIDTwDM6mgDqozye 49sHMQM1taoCheDQ1Q3BdZn4nncTT59eKYuKA3frNjA9eo4x8nDATo1zt2+LZ/PWeVII PEwo6XPnbkEAS1Q1mVw/tMf+RIXUtmPGp/eGo= Received: by 10.204.162.210 with SMTP id w18mr7255413bkx.174.1258455719719; Tue, 17 Nov 2009 03:01:59 -0800 (PST) Received: from notebook (minsk.agava.net [212.98.174.157]) by mx.google.com with ESMTPS id e17sm35567fke.26.2009.11.17.03.01.55 (version=SSLv3 cipher=RC4-MD5); Tue, 17 Nov 2009 03:01:56 -0800 (PST) Date: Tue, 17 Nov 2009 13:02:05 +0200 From: "Sergey V. Dyatko" To: freebsd-pf@FreeBSD.org Message-ID: <20091117130205.2e3a5500@notebook> In-Reply-To: <20091117124804.08d70a8e@notebook> References: <20091117124804.08d70a8e@notebook> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; i386-portbld-freebsd9.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Subject: Re: pf and max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 11:02:02 -0000 on Tue, 17 Nov 2009 12:48:04 +0200 "Sergey V. Dyatko" wrote: Ooops, sorry for the noice. I didn't seen that is only 1 connect SVD> Hi list, SVD> I'm trying to stop ssh bruteforce on my box (rules bellow), but it SVD> doesn't work. looks like 1sec interval is too small:( SVD> SVD> from auth.log: SVD> ... SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Invalid user cobert from SVD> 200.27.164.214 SVD> Nov 17 13:32:14 master-db6 sshd[3902]: error: PAM: authentication SVD> error for illegal user cobert from server.aconex.cl SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Failed SVD> keyboard-interactive/pam for invalid user cobert from SVD> 200.27.164.214 port 57587 ssh2 ... SVD> Nov 17 13:40:17 master-db6 sshd[3961]: error: PAM: authentication SVD> error for illegal user colman from 80.243.172.54 SVD> Nov 17 13:40:17 master-db6 sshd[3961]: Failed SVD> keyboard-interactive/pam for invalid user colman from SVD> 80.243.172.54 port 45081 ssh2 ... SVD> SVD> As you can see I got 2 connections from 1 ip in 1 second but... SVD> SVD> #pfctl -tbots -Tshow|wc -l SVD> 0 SVD> SVD> where i'm wrong? SVD> pf.conf: SVD> SVD> ext_if="em0" SVD> SVD> table { my_net/24, some_ip/32} SVD> table persist SVD> SVD> scrub in all SVD> SVD> pass in quick on $ext_if proto tcp from SVD> block in quick from SVD> SVD> pass in quick on $ext_if proto tcp to $ext_if port ssh \ SVD> flags S/SA keep state \ SVD> ( max-src-conn-rate 2/1 overload flush ) SVD> SVD> pass in all SVD> pass out all SVD> SVD> -- wbr, tiger