From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 30 15:28:57 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7954106568E for ; Tue, 30 Sep 2008 15:28:57 +0000 (UTC) (envelope-from pierre.riteau@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id 571E98FC28 for ; Tue, 30 Sep 2008 15:28:57 +0000 (UTC) (envelope-from pierre.riteau@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so621670uge.39 for ; Tue, 30 Sep 2008 08:28:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=OAxDHjFwxP5rSgRD9S5JPLCDwNXLV0Anuh+e77v5okE=; b=ijJAGcSQW3ZmOyWun99HIFEHDGHmyBU8poxqjHo+sqeoK6jZ1jShYjf0nFVosoqW+C /pXCoj4yEr96TSoAoE2YjNjomnARergyiHOWLysFTSeRNTN+Q6Lh/U5Ko45GjZq/5ndg cOYM1bGL2rmCAqgA5EeLSuG3iZbmxKMiZPEO4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=NhqvpugTDjCCiqETpAggntBFwRZS+nzBhn3nIDI9ygTxtIKaleO+5jL0ifd6iidAVZ p5BVofx7v2YTIonqHORckskXtCxS+M8I06+v7d2rvXCMHmufdOO08RiR4FEcnCkmD+y5 AO+5LFjThTS9QTE4qelwrQunAPR2lfly/p2DY= Received: by 10.86.95.20 with SMTP id s20mr5780165fgb.65.1222787755543; Tue, 30 Sep 2008 08:15:55 -0700 (PDT) Received: from omicron.my.domain (cse35-1-82-236-142-224.fbx.proxad.net [82.236.142.224]) by mx.google.com with ESMTPS id l19sm291330fgb.7.2008.09.30.08.15.52 (version=SSLv3 cipher=RC4-MD5); Tue, 30 Sep 2008 08:15:53 -0700 (PDT) Date: Tue, 30 Sep 2008 17:15:50 +0200 From: Pierre Riteau To: freebsd-hackers@FreeBSD.ORG, roberto@keltia.freenix.fr Message-ID: <20080930151550.GA20490@omicron.my.domain> References: <20080930081637.GA34744@keltia.freenix.fr> <200809301401.m8UE1QDm039930@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200809301401.m8UE1QDm039930@lurza.secnetix.de> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Subject: Re: SSH Brute Force attempts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 15:28:57 -0000 On Tue, Sep 30, 2008 at 04:01:26PM +0200, Oliver Fromme wrote: > Ollivier Robert <> wrote: > > According to Henrik Hudson: > > > Yeap, -security > > > > > > However, also try this in pf.conf (specific rules related to this; you'll need > > > more for a real pf.conf): > > > > > > table { } persist > > > block in quick from > > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state > > > (max-src-conn 5, max-src-conn-rate 4/300, overload flush global) > > > > That one is very effective. > > It's especially effective to enable to DoS you. > An attacker simply has to spoof the source address > on SYN packets, which is trivial. :-( This is not true. pf.conf(5) says: For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforced per source IP. max-src-conn Limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. max-src-conn-rate / Limit the rate of new connections over a time interval. The con- nection rate is an approximation calculated as a moving average. Because the 3-way handshake ensures that the source address is not being spoofed, more aggressive action can be taken based on these limits.