From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 30 14:01:28 2008 Return-Path: Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1263106569A for ; Tue, 30 Sep 2008 14:01:28 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6A82D8FC08 for ; Tue, 30 Sep 2008 14:01:28 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id m8UE1Quh039931; Tue, 30 Sep 2008 16:01:26 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id m8UE1QDm039930; Tue, 30 Sep 2008 16:01:26 +0200 (CEST) (envelope-from olli) Date: Tue, 30 Sep 2008 16:01:26 +0200 (CEST) Message-Id: <200809301401.m8UE1QDm039930@lurza.secnetix.de> From: Oliver Fromme To: freebsd-hackers@FreeBSD.ORG, roberto@keltia.freenix.fr In-Reply-To: <20080930081637.GA34744@keltia.freenix.fr> X-Newsgroups: list.freebsd-hackers User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 30 Sep 2008 16:01:27 +0200 (CEST) Cc: Subject: Re: SSH Brute Force attempts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-hackers@FreeBSD.ORG, roberto@keltia.freenix.fr List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 14:01:29 -0000 Ollivier Robert <> wrote: > According to Henrik Hudson: > > Yeap, -security > > > > However, also try this in pf.conf (specific rules related to this; you'll need > > more for a real pf.conf): > > > > table { } persist > > block in quick from > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state > > (max-src-conn 5, max-src-conn-rate 4/300, overload flush global) > > That one is very effective. It's especially effective to enable to DoS you. An attacker simply has to spoof the source address on SYN packets, which is trivial. :-( It is marginally better to use one of those tools that parse the logs for failed ssh logins, and use that information to block addresses. In order to abuse that, and attacker would have to spoof a full TCP connection setup plus initial SSH conversation, which is far from trivial. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Perl will consistently give you what you want, unless what you want is consistency." -- Larry Wall