Date: Tue, 8 Feb 2011 18:02:49 -0500 From: Vadym Chepkov <vchepkov@gmail.com> To: Helmut Schneider <jumper99@gmx.de> Cc: freebsd-pf@FreeBSD.org Subject: Re: brutal SSH attacks Message-ID: <A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com> In-Reply-To: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 8, 2011, at 5:26 PM, Helmut Schneider wrote: >> Could somebody help in figuring out why PF configuration meant to = prevent brutal SSH attacks doesn't work. >=20 > Check your pflog. The ruleset itself seems fine (if it is complete and = you did not forget to post a vital part). We also can assume that pf is = enabled, can we?=20 What should I be looking for in pflog? I can't find anything ssh = related. I posted full ruleset too. [root@castor ~]# service pf status Status: Enabled for 74 days 00:20:02 Debug: Urgent State Table Total Rate current entries 10 =20 searches 94773790 14.8/s inserts 228426 0.0/s removals 228416 0.0/s Counters match 93343976 14.6/s bad-offset 0 0.0/s fragment 11 0.0/s short 0 0.0/s normalize 4 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 40706 0.0/s proto-cksum 354 0.0/s state-mismatch 57 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 116 0.0/s synproxy 0 0.0/s [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat $log|tcpdump = -r - port ssh ; done reading from file -, link-type PFLOG (OpenBSD pflog file) reading from file -, link-type PFLOG (OpenBSD pflog file) reading from file -, link-type PFLOG (OpenBSD pflog file) reading from file -, link-type PFLOG (OpenBSD pflog file) [root@castor ~]# pfctl -sr scrub in all fragment reassemble block return in log on bce1 all block drop in quick on bce1 from <martians> to any block return out quick on bce1 from any to <martians> pass out quick on bce1 from <granted_out_net> to any flags S/SA keep = state block drop in quick from <abusive_hosts> to any pass quick inet proto tcp from any to 38.X.X.X port =3D ssh flags S/SA = keep state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60, = overload <abusive_hosts> flush global, src.track 60) pass quick inet proto tcp from any to 38.X.X.X port =3D domain flags = S/SA keep state pass quick inet proto udp from any to 38.X.X.X port =3D domain keep = state pass quick inet proto udp from any to 38.X.X.X port =3D openvpn keep = state pass quick inet proto icmp from any to 38.X.X.X icmp-type squench no = state pass quick inet proto icmp from any to 38.X.X.X icmp-type unreach no = state pass quick inet proto icmp from any to 38.X.X.X icmp-type timex no state pass quick inet proto icmp from any to 38.X.X.X icmp-type echoreq no = state pass quick inet proto udp from any to 38.X.X.X port 33434:33523 keep = state Thanks, Vadym
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A6E48F78-AC10-40DE-9345-86D14CC4D3A1>