Date: Tue, 30 Sep 2008 17:15:50 +0200 From: Pierre Riteau <pierre.riteau@gmail.com> To: freebsd-hackers@FreeBSD.ORG, roberto@keltia.freenix.fr Subject: Re: SSH Brute Force attempts Message-ID: <20080930151550.GA20490@omicron.my.domain> In-Reply-To: <200809301401.m8UE1QDm039930@lurza.secnetix.de> References: <20080930081637.GA34744@keltia.freenix.fr> <200809301401.m8UE1QDm039930@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 30, 2008 at 04:01:26PM +0200, Oliver Fromme wrote:
> Ollivier Robert <> wrote:
> > According to Henrik Hudson:
> > > Yeap, -security
> > >
> > > However, also try this in pf.conf (specific rules related to this; you'll need
> > > more for a real pf.conf):
> > >
> > > table <badguys> { } persist
> > > block in quick from <badguys>
> > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state
> > > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
> >
> > That one is very effective.
>
> It's especially effective to enable to DoS you.
> An attacker simply has to spoof the source address
> on SYN packets, which is trivial. :-(
This is not true. pf.conf(5) says:
For stateful TCP connections, limits on established connections (connec-
tions which have completed the TCP 3-way handshake) can also be enforced
per source IP.
max-src-conn <number>
Limits the maximum number of simultaneous TCP connections which
have completed the 3-way handshake that a single host can make.
max-src-conn-rate <number> / <seconds>
Limit the rate of new connections over a time interval. The con-
nection rate is an approximation calculated as a moving average.
Because the 3-way handshake ensures that the source address is not being
spoofed, more aggressive action can be taken based on these limits.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080930151550.GA20490>