From owner-freebsd-pf@FreeBSD.ORG Sat Dec 5 14:09:59 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C59881065670 for ; Sat, 5 Dec 2009 14:09:59 +0000 (UTC) (envelope-from nico@elico-it.be) Received: from zimbra-mx1.xenco.net (zimbra-mx1.xenco.net [79.132.229.23]) by mx1.freebsd.org (Postfix) with ESMTP id BDD178FC13 for ; Sat, 5 Dec 2009 14:09:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id 8E5DC478182 for ; Sat, 5 Dec 2009 15:09:57 +0100 (CET) X-Virus-Scanned: amavisd-new at xenco.net Received: from zimbra-mx1.xenco.net ([127.0.0.1]) by localhost (zimbra-mx1.xenco.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id so0nmVQJFUv8 for ; Sat, 5 Dec 2009 15:09:52 +0100 (CET) Received: from zimbra-store.xenco.net (unknown [172.28.70.27]) by zimbra-mx1.xenco.net (Postfix) with ESMTP id 8DFC2478034 for ; Sat, 5 Dec 2009 15:09:52 +0100 (CET) Date: Sat, 5 Dec 2009 15:09:52 +0100 (CET) From: Nico De Dobbeleer To: freebsd-pf@freebsd.org Message-ID: <6783768.102251260022192330.JavaMail.root@zimbra-store> MIME-Version: 1.0 X-Originating-IP: [213.118.154.118] X-Mailer: Zimbra 6.0.0_GA_1802.DEBIAN5 (ZimbraWebClient - FF3.0 (Linux)/6.0.0_GA_1802.DEBIAN5) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Limit connections doens't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2009 14:09:59 -0000 Hello, As most of the public ip's my servers are constantly under bruteforce attack see example: Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2 Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226 Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2 Dec 5 13:56:41 hosting sshd[18625]: Invalid user support from 173.10.126.226 Dec 5 13:56:43 hosting sshd[18625]: Failed password for invalid user support from 173.10.126.226 port 48676 ssh2 Dec 5 13:56:47 hosting sshd[18627]: Invalid user jnanchito from 173.10.126.226 Dec 5 13:56:50 hosting sshd[18627]: Failed password for invalid user jnanchito from 173.10.126.226 port 49122 ssh2 Dec 5 13:56:51 hosting sshd[18629]: Invalid user rtorres from 173.10.126.226 Dec 5 13:56:53 hosting sshd[18629]: Failed password for invalid user rtorres from 173.10.126.226 port 49872 ssh2 Dec 5 13:56:55 hosting sshd[18631]: Invalid user jatema from 173.10.126.226 Dec 5 13:56:57 hosting sshd[18631]: Failed password for invalid user jatema from 173.10.126.226 port 50293 ssh2 Dec 5 13:57:01 hosting sshd[18633]: Failed password for invalid user root from 173.10.126.226 port 50702 ssh2 Dec 5 13:57:04 hosting sshd[18635]: Failed password for invalid user root from 173.10.126.226 port 51154 ssh2 Dec 5 13:57:06 hosting sshd[18637]: Invalid user boss from 173.10.126.226 Dec 5 13:57:08 hosting sshd[18637]: Failed password for invalid user boss from 173.10.126.226 port 51507 ssh2 Dec 5 13:57:09 hosting sshd[18639]: Invalid user sasha from 173.10.126.226 Dec 5 13:57:11 hosting sshd[18639]: Failed password for invalid user sasha from 173.10.126.226 port 51929 ssh2 Dec 5 13:57:13 hosting sshd[18641]: Invalid user vic from 173.10.126.226 Dec 5 13:57:14 hosting sshd[18641]: Failed password for invalid user vic from 173.10.126.226 port 52321 ssh2 Dec 5 13:57:16 hosting sshd[18643]: Invalid user ranjith from 173.10.126.226 Dec 5 13:57:18 hosting sshd[18643]: Failed password for invalid user ranjith from 173.10.126.226 port 52650 ssh2 Dec 5 13:57:21 hosting sshd[18645]: Failed password for invalid user root from 173.10.126.226 port 53087 ssh2 Dec 5 13:57:25 hosting sshd[18647]: Failed password for invalid user root from 173.10.126.226 port 53447 ssh2 Dec 5 13:57:29 hosting sshd[18649]: Failed password for invalid user root from 173.10.126.226 port 53852 ssh2 Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that. ------------------------------------------------------------------------------------------------------------------ #Tables table persist file "/etc/pf.abusive_ips.block.list" table persist # Rules block quick from block quick from # Limit connections per IP pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/15, overload flush) -------------------------------------------------------------------------------------------------------------------- The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the table. Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15? With kind regards, Nico De Dobbeleer