From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 00:11:42 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D85E51065672 for ; Wed, 9 Feb 2011 00:11:42 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 85E9A8FC0C for ; Wed, 9 Feb 2011 00:11:42 +0000 (UTC) Received: by qwj9 with SMTP id 9so4662687qwj.13 for ; Tue, 08 Feb 2011 16:11:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :x-priority:in-reply-to:date:cc:content-transfer-encoding:message-id :references:to:x-mailer; bh=SoogkmTpDmXuC1FG8OQiiTHspABAKkm5ptZIrxWbVfE=; b=WIQ3qVINXVquXg4Fljk1RqcW8lxu4UwnV/0jyrPQ+CPtX0JljLXfDhOSQLMN3xQyC+ UByp8oMHNbOEjA/rfT0BaX1I9YQCrCamGu0iOnmOgXKAqn31pN2K0FIV9A4eiB3gkb70 DqWnieRIALA1NPTl6uYwrOMK3Ilh2uEz7cbhY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:x-priority:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; b=xrOyedSmBQSOs5HwwdnXuNJNmDovWOIZSyf5635q5V5zU0pDlzy9AKVKtqKZEsw3zN NDyRiLE1XNGC/eGXciQD99rVqqmZkxdGD0lKYIQUKr9rPjFbYn0BmyKy3YuqKGUJhfXz sEoDs9YaZBVfc6pihxsF/0VS8VTush017L3c8= Received: by 10.224.54.69 with SMTP id p5mr2683715qag.95.1297210301679; Tue, 08 Feb 2011 16:11:41 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id s10sm33215qco.11.2011.02.08.16.11.40 (version=SSLv3 cipher=OTHER); Tue, 08 Feb 2011 16:11:41 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov X-Priority: 3 In-Reply-To: <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> Date: Tue, 8 Feb 2011 19:11:40 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> To: Helmut Schneider X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@FreeBSD.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 00:11:42 -0000 On Feb 8, 2011, at 7:01 PM, Helmut Schneider wrote: >>> Check your pflog. The ruleset itself seems fine (if it is complete = and you did not forget to post >>> a vital part). We also can assume that pf is enabled, can we? >>=20 >> What should I be looking for in pflog? I can't find anything ssh = related. I posted full ruleset too. > [...] >> [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat = $log|tcpdump -r - port ssh ; done >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >> reading from file -, link-type PFLOG (OpenBSD pflog file) >=20 > Well... >=20 >> block drop in quick from to any >> pass quick inet proto tcp from any to 38.X.X.X port =3D ssh flags = S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate = 9/60, overload flush global, src.track 60) >=20 > "block drop in quick log..." and "pass quick inet proto log" might be = useful. BTW, what version of FreeBSD are you using? The machine isn't = multi-homed, is it?=20 8.1-RELEASE-p1, just one external interface. I will add "log" to "pass ssh", but what would I "block drop in quick" = though? Vadym