From owner-freebsd-security@FreeBSD.ORG  Wed Mar 21 14:50:49 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1CF4A16A409
	for <freebsd-security@freebsd.org>;
	Wed, 21 Mar 2007 14:50:49 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from pobox.codelabs.ru (pobox.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id CDD0313C4CE
	for <freebsd-security@freebsd.org>;
	Wed, 21 Mar 2007 14:50:48 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from codelabs.ru (pobox.codelabs.ru [144.206.177.45])
	by pobox.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256)
	id 1HU29G-0004P6-87; Wed, 21 Mar 2007 17:50:46 +0300
Date: Wed, 21 Mar 2007 17:50:42 +0300
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: Bill Moran <wmoran@collaborativefusion.com>
Message-ID: <20070321145041.GG14837@codelabs.ru>
References: <20070321123033.GD31533@bunrab.catwhisker.org>
	<20070321092724.fd6f1541.wmoran@collaborativefusion.com>
	<20070321103006.c57729cc.wmoran@collaborativefusion.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <20070321103006.c57729cc.wmoran@collaborativefusion.com>
Sender: rea-fbsd@codelabs.ru
X-Spam-Status: No, score=-2.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_20
Cc: freebsd-security@freebsd.org, "W. D." <WD@US-Webmasters.com>
Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2007 14:50:49 -0000

Wed, Mar 21, 2007 at 10:30:06AM -0400, Bill Moran wrote:
> In response to "W. D." <WD@US-Webmasters.com>:
> 
> > At 08:27 3/21/2007, Bill Moran, wrote:
> > I run a little script I wrote that automatically adds
> > >failed SSH attempts to a table that blocks them from _everything_ in my
> > >pf rules. 
> > 
> > Do you care to share that script?
> 
> It's pretty basic, but I will share it.  I've been waiting until I'd been
> using it for a while to make sure there weren't any problems.

You can use the following rule that will put very fast SSH connectors
to the pf table ssh_scans:
-----
pass in quick   on $iface proto tcp from any to $ip port 22 flags S/AUSPF \
keep state (max-src-conn 4, max-src-conn-rate 6/1, overload <ssh_scans> flush)
-----
and you can do whatever you like with the ssh_scans table in your pf
ruleset. It is just another option to throttle SSH scans with the pf,
though you should whitelist the good known hosts that are doing massive
numbers of SSH connections to your host. And you can use the expiretable
port to expire the entries in the ssh_scans.

Not a silver bullet, but proved to be useful at some configurations.
-- 
Eygene