From owner-freebsd-hackers@FreeBSD.ORG  Tue Sep 30 15:07:32 2008
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2258A10656A0
	for <freebsd-hackers@freebsd.org>; Tue, 30 Sep 2008 15:07:32 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 8B2C08FC29
	for <freebsd-hackers@freebsd.org>; Tue, 30 Sep 2008 15:07:31 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from lack-of-gravitas.thebunker.net (gateway.ash.thebunker.net
	[213.129.64.4]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id
	m8UF7Nj1038775
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 30 Sep 2008 16:07:24 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk m8UF7Nj1038775
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1222787244; bh=ulnw4iyPlO5yma
	JQhSKFwFOh86Lnox8W8Miej5zystA=; h=Message-ID:Date:From:MIME-Version:
	To:Subject:References:In-Reply-To:Content-Type:
	Content-Transfer-Encoding:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To; z=Message-ID:=20<48E240AB.9
	040802@infracaninophile.co.uk>|Date:=20Tue,=2030=20Sep=202008=2016:
	07:23=20+0100|From:=20Matthew=20Seaman=20<m.seaman@infracaninophile
	.co.uk>|Organization:=20Infracaninophile|User-Agent:=20Thunderbird=
	202.0.0.16=20(X11/20080811)|MIME-Version:=201.0|To:=20freebsd-hacke
	rs@freebsd.org,=20roberto@keltia.freenix.fr|Subject:=20Re:=20SSH=20
	Brute=20Force=20attempts|References:=20<200809301401.m8UE1QDm039930
	@lurza.secnetix.de>|In-Reply-To:=20<200809301401.m8UE1QDm039930@lur
	za.secnetix.de>|X-Enigmail-Version:=200.95.6|Content-Type:=20text/p
	lain=3B=20charset=3DUTF-8=3B=20format=3Dflowed|Content-Transfer-Enc
	oding:=207bit; b=gVEaGT1z6H+771N2i1AnVurdKOxwzcNiIFCrog0O33vg+gcrIp
	fXRMxF2IfcHVm8Bbtou0vcQst//43zgNSsno7Ud3hk2fD4n6croPl9vLP3RAH7MCpNh
	o5NBWfDk647twaGxtGZ/RJkQLCDaufV6qdRKs8jeY0MpjtJjA7ZNQY=
Message-ID: <48E240AB.9040802@infracaninophile.co.uk>
Date: Tue, 30 Sep 2008 16:07:23 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.16 (X11/20080811)
MIME-Version: 1.0
To: freebsd-hackers@freebsd.org, roberto@keltia.freenix.fr
References: <200809301401.m8UE1QDm039930@lurza.secnetix.de>
In-Reply-To: <200809301401.m8UE1QDm039930@lurza.secnetix.de>
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0
	(smtp.infracaninophile.co.uk [81.187.76.162]);
	Tue, 30 Sep 2008 16:07:24 +0100 (BST)
X-Virus-Scanned: ClamAV 0.94/8359/Tue Sep 30 14:29:02 2008 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,SPF_FAIL autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: 
Subject: Re: SSH Brute Force attempts
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2008 15:07:32 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Oliver Fromme wrote:
| Ollivier Robert <> wrote:
|  > According to Henrik Hudson:
|  > > Yeap, -security
|  > > 
|  > > However, also try this in pf.conf (specific rules related to this; you'll need 
|  > > more for a real pf.conf):
|  > > 
|  > > table <badguys> { } persist
|  > > block in quick from <badguys>
|  > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state 
|  > > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
|  > 
|  > That one is very effective.
| 
| It's especially effective to enable to DoS you.
| An attacker simply has to spoof the source address
| on SYN packets, which is trivial.  :-(

Adding a whitelist of ssh addresses that should never be blocked is equally
trivial....

But, like the perl folk say: TIMTOWTDI.

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
~                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
~                                                      Kent, CT11 9PW, UK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREDAAYFAkjiQKsACgkQ3jDkPpsZ+VbzsgCfY64vNfuMhRrGRYgK4rDawWq4
xDwAnRMXY54hiooKCFBp7U/SxILUsxsa
=yQm5
-----END PGP SIGNATURE-----