From owner-freebsd-pf@FreeBSD.ORG  Tue Feb  8 23:02:52 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2932E1065674
	for <freebsd-pf@freebsd.org>; Tue,  8 Feb 2011 23:02:52 +0000 (UTC)
	(envelope-from vchepkov@gmail.com)
Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com
	[209.85.216.54])
	by mx1.freebsd.org (Postfix) with ESMTP id CFAAD8FC15
	for <freebsd-pf@freebsd.org>; Tue,  8 Feb 2011 23:02:51 +0000 (UTC)
Received: by qwj9 with SMTP id 9so4630337qwj.13
	for <freebsd-pf@freebsd.org>; Tue, 08 Feb 2011 15:02:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:subject:mime-version:content-type:from
	:x-priority:in-reply-to:date:cc:content-transfer-encoding:message-id
	:references:to:x-mailer;
	bh=RP6XEHDwN0GACDXJ60a+cVMazIuHsLgifeqSXu95dsU=;
	b=BbFLdkItTf1If3WRT2RRBE0IWnW1coMyfK3mTk7RaM4go5mzQ4RvPgvq2brrgbWROe
	gL/fsj9vIf4fmxUdT2TpP8d+Mj7YPqZCry9zFQmnK8sx+ovOL/CoMijh0IBlFlYaD0mk
	UVTxdWtm+hXw6z5cipsF9mPCOwAeFialqK27g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=subject:mime-version:content-type:from:x-priority:in-reply-to:date
	:cc:content-transfer-encoding:message-id:references:to:x-mailer;
	b=xRK4gQG0H30dShxkNI3diSlXNtXc9ZvfcqmIRBxY/FroJAyJDGAcwc0vxMB/XX5jpp
	QzZJO7wcT4Zb/H0Y9mAVZkZlhIl5g2HGrE9s0iokv6IPHOf4SA26Epr/Tlu1zEwIFeuE
	pudCNPNz4xFL6IgipNLjCXWIDbC0kQdquIPPA=
Received: by 10.229.233.196 with SMTP id jz4mr14639045qcb.135.1297206171063;
	Tue, 08 Feb 2011 15:02:51 -0800 (PST)
Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net
	[173.71.213.51])
	by mx.google.com with ESMTPS id s10sm4015631qco.23.2011.02.08.15.02.49
	(version=SSLv3 cipher=RC4-MD5); Tue, 08 Feb 2011 15:02:50 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: Vadym Chepkov <vchepkov@gmail.com>
X-Priority: 3
In-Reply-To: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de>
Date: Tue, 8 Feb 2011 18:02:49 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com>
References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
	<5A0B04327C334DA18745BFDBDBECE055@charlieroot.de>
To: Helmut Schneider <jumper99@gmx.de>
X-Mailer: Apple Mail (2.1082)
Cc: freebsd-pf@FreeBSD.org
Subject: Re: brutal SSH attacks
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Feb 2011 23:02:52 -0000


On Feb 8, 2011, at 5:26 PM, Helmut Schneider wrote:

>> Could somebody help in figuring out why PF configuration meant to =
prevent brutal SSH attacks doesn't work.
>=20
> Check your pflog. The ruleset itself seems fine (if it is complete and =
you did not forget to post a vital part). We also can assume that pf is =
enabled, can we?=20

What should I be looking for in pflog? I can't find anything ssh =
related. I posted full ruleset too.


[root@castor ~]# service pf status
Status: Enabled for 74 days 00:20:02          Debug: Urgent

State Table                          Total             Rate
  current entries                       10              =20
  searches                        94773790           14.8/s
  inserts                           228426            0.0/s
  removals                          228416            0.0/s
Counters
  match                           93343976           14.6/s
  bad-offset                             0            0.0/s
  fragment                              11            0.0/s
  short                                  0            0.0/s
  normalize                              4            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                          40706            0.0/s
  proto-cksum                          354            0.0/s
  state-mismatch                        57            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                            116            0.0/s
  synproxy                               0            0.0/s


[root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat $log|tcpdump =
-r - port ssh ; done
reading from file -, link-type PFLOG (OpenBSD pflog file)
reading from file -, link-type PFLOG (OpenBSD pflog file)
reading from file -, link-type PFLOG (OpenBSD pflog file)
reading from file -, link-type PFLOG (OpenBSD pflog file)

[root@castor ~]# pfctl -sr
scrub in all fragment reassemble
block return in log on bce1 all
block drop in quick on bce1 from <martians> to any
block return out quick on bce1 from any to <martians>
pass out quick on bce1 from <granted_out_net> to any flags S/SA keep =
state
block drop in quick from <abusive_hosts> to any
pass quick inet proto tcp from any to 38.X.X.X port =3D ssh flags S/SA =
keep state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60, =
overload <abusive_hosts> flush global, src.track 60)
pass quick inet proto tcp from any to 38.X.X.X port =3D domain flags =
S/SA keep state
pass quick inet proto udp from any to 38.X.X.X port =3D domain keep =
state
pass quick inet proto udp from any to 38.X.X.X port =3D openvpn keep =
state
pass quick inet proto icmp from any to 38.X.X.X icmp-type squench no =
state
pass quick inet proto icmp from any to 38.X.X.X icmp-type unreach no =
state
pass quick inet proto icmp from any to 38.X.X.X icmp-type timex no state
pass quick inet proto icmp from any to 38.X.X.X icmp-type echoreq no =
state
pass quick inet proto udp from any to 38.X.X.X port 33434:33523 keep =
state

Thanks,
Vadym