From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 00:01:39 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13FFC1065674 for ; Wed, 9 Feb 2011 00:01:39 +0000 (UTC) (envelope-from jumper99@gmx.de) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by mx1.freebsd.org (Postfix) with SMTP id 5A2578FC0C for ; Wed, 9 Feb 2011 00:01:37 +0000 (UTC) Received: (qmail invoked by alias); 09 Feb 2011 00:01:36 -0000 Received: from p5DCD7AF7.dip.t-dialin.net (EHLO ORPHEUS) [93.205.122.247] by mail.gmx.net (mp031) with SMTP; 09 Feb 2011 01:01:36 +0100 X-Authenticated: #682707 X-Provags-ID: V01U2FsdGVkX19lxUdFv1hlkVI8+aDhIL8nbqc/SkVABH23YozJ0A fPFZEU4eZwYyWP Message-ID: <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> From: "Helmut Schneider" To: "Vadym Chepkov" References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> In-Reply-To: Date: Wed, 9 Feb 2011 01:01:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8117.416 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416 X-Antivirus: avast! (VPS 110208-0, 08.02.2011), Outbound message X-Antivirus-Status: Clean X-Y-GMX-Trusted: 0 Cc: freebsd-pf@FreeBSD.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 00:01:39 -0000 >> Check your pflog. The ruleset itself seems fine (if it is complete and >> you did not forget to post >> a vital part). We also can assume that pf is enabled, can we? > > What should I be looking for in pflog? I can't find anything ssh related. > I posted full ruleset too. [...] > [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat > $log|tcpdump -r - port ssh ; done > reading from file -, link-type PFLOG (OpenBSD pflog file) > reading from file -, link-type PFLOG (OpenBSD pflog file) > reading from file -, link-type PFLOG (OpenBSD pflog file) > reading from file -, link-type PFLOG (OpenBSD pflog file) Well... > block drop in quick from to any > pass quick inet proto tcp from any to 38.X.X.X port = ssh flags S/SA keep > state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60, > overload flush global, src.track 60) "block drop in quick log..." and "pass quick inet proto log" might be useful. BTW, what version of FreeBSD are you using? The machine isn't multi-homed, is it?