From owner-freebsd-pf@FreeBSD.ORG Tue Nov 17 11:10:03 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF8AB106568B for ; Tue, 17 Nov 2009 11:10:03 +0000 (UTC) (envelope-from sergey.dyatko@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.158]) by mx1.freebsd.org (Postfix) with ESMTP id 435618FC0C for ; Tue, 17 Nov 2009 11:10:03 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e12so1447787fga.13 for ; Tue, 17 Nov 2009 03:10:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:x-mailer:mime-version:content-type :content-transfer-encoding; bh=4hsYkmjjLSD2l5dHMCO2rMfk2DTfkw1AjzdF++KujW4=; b=SCQ4g8su00Y5qRbu+FD7+yCTDCQ7186zZR5CR/DcQCGJP1W9ublYFjUYl7tZir81uL aQxr0jPTGqbjug3VkjZSq1q+52ZyoGLa3ClYDOzYb+Lq5o8Q3cylWq8Bh7KWxvMRwBm7 HDafoMM/VbJO77VfyTdU1g1JZKeO+pgJRh368= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:x-mailer:mime-version:content-type :content-transfer-encoding; b=SpM7HaCcCOdUCp/zwos/qgYrYKB6ZnH166lrwkBgnwPpRdIc9dmCduMOa0XFs/U9K8 BRD8I4h/T/QI6AvJzLdUo4rtxiLu5fQsi7dWkPY5svUQZAm+FeTlEU81o/nDAE/ifRqj //WZ4Om/w/AAQZj9geBpy11oGPHHu0drtTBSw= Received: by 10.87.38.23 with SMTP id q23mr6910372fgj.35.1258454874308; Tue, 17 Nov 2009 02:47:54 -0800 (PST) Received: from notebook (minsk.agava.net [212.98.174.157]) by mx.google.com with ESMTPS id d6sm826757fga.10.2009.11.17.02.47.52 (version=SSLv3 cipher=RC4-MD5); Tue, 17 Nov 2009 02:47:53 -0800 (PST) Date: Tue, 17 Nov 2009 12:48:04 +0200 From: "Sergey V. Dyatko" To: freebsd-pf@FreeBSD.org Message-ID: <20091117124804.08d70a8e@notebook> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.16.6; i386-portbld-freebsd9.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Subject: pf and max-src-conn-rate X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 11:10:03 -0000 Hi list, I'm trying to stop ssh bruteforce on my box (rules bellow), but it doesn't work. looks like 1sec interval is too small:( from auth.log: ... Nov 17 13:32:14 master-db6 sshd[3902]: Invalid user cobert from 200.27.164.214 Nov 17 13:32:14 master-db6 sshd[3902]: error: PAM: authentication error for illegal user cobert from server.aconex.cl Nov 17 13:32:14 master-db6 sshd[3902]: Failed keyboard-interactive/pam for invalid user cobert from 200.27.164.214 port 57587 ssh2 ... Nov 17 13:40:17 master-db6 sshd[3961]: error: PAM: authentication error for illegal user colman from 80.243.172.54 Nov 17 13:40:17 master-db6 sshd[3961]: Failed keyboard-interactive/pam for invalid user colman from 80.243.172.54 port 45081 ssh2 ... As you can see I got 2 connections from 1 ip in 1 second but... #pfctl -tbots -Tshow|wc -l 0 where i'm wrong? pf.conf: ext_if="em0" table { my_net/24, some_ip/32} table persist scrub in all pass in quick on $ext_if proto tcp from block in quick from pass in quick on $ext_if proto tcp to $ext_if port ssh \ flags S/SA keep state \ ( max-src-conn-rate 2/1 overload flush ) pass in all pass out all -- wbr, tiger