Date: Tue, 30 Sep 2008 16:01:26 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-hackers@FreeBSD.ORG, roberto@keltia.freenix.fr Subject: Re: SSH Brute Force attempts Message-ID: <200809301401.m8UE1QDm039930@lurza.secnetix.de> In-Reply-To: <20080930081637.GA34744@keltia.freenix.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Ollivier Robert <> wrote: > According to Henrik Hudson: > > Yeap, -security > > > > However, also try this in pf.conf (specific rules related to this; you'll need > > more for a real pf.conf): > > > > table <badguys> { } persist > > block in quick from <badguys> > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state > > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global) > > That one is very effective. It's especially effective to enable to DoS you. An attacker simply has to spoof the source address on SYN packets, which is trivial. :-( It is marginally better to use one of those tools that parse the logs for failed ssh logins, and use that information to block addresses. In order to abuse that, and attacker would have to spoof a full TCP connection setup plus initial SSH conversation, which is far from trivial. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Perl will consistently give you what you want, unless what you want is consistency." -- Larry Wall
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809301401.m8UE1QDm039930>