From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 30 15:37:42 2008 Return-Path: Delivered-To: freebsd-hackers@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67F4F1065686 for ; Tue, 30 Sep 2008 15:37:42 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id 9E2D08FC0C for ; Tue, 30 Sep 2008 15:37:41 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id m8UFbd1S044685; Tue, 30 Sep 2008 17:37:39 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id m8UFbcrt044684; Tue, 30 Sep 2008 17:37:38 +0200 (CEST) (envelope-from olli) Date: Tue, 30 Sep 2008 17:37:38 +0200 (CEST) Message-Id: <200809301537.m8UFbcrt044684@lurza.secnetix.de> From: Oliver Fromme To: freebsd-hackers@FreeBSD.ORG, pierre.riteau@gmail.com, roberto@keltia.freenix.fr In-Reply-To: <20080930151550.GA20490@omicron.my.domain> X-Newsgroups: list.freebsd-hackers User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 30 Sep 2008 17:37:39 +0200 (CEST) Cc: Subject: Re: SSH Brute Force attempts X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-hackers@FreeBSD.ORG, pierre.riteau@gmail.com, roberto@keltia.freenix.fr List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Sep 2008 15:37:42 -0000 Pierre Riteau wrote: > Oliver Fromme wrote: > > Ollivier Robert wrote: > > > According to Henrik Hudson: > > > > Yeap, -security > > > > > > > > However, also try this in pf.conf (specific rules related to this; you'll need > > > > more for a real pf.conf): > > > > > > > > table { } persist > > > > block in quick from > > > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state > > > > (max-src-conn 5, max-src-conn-rate 4/300, overload flush global) > > > > > > That one is very effective. > > > > It's especially effective to enable to DoS you. > > An attacker simply has to spoof the source address > > on SYN packets, which is trivial. :-( > > This is not true. pf.conf(5) says: > > For stateful TCP connections, limits on established connections (connec- > tions which have completed the TCP 3-way handshake) can also be enforced > per source IP. Thanks for the correction. I prefer IPFW most of the time, therefore I wasn't aware of this detail. > Because the 3-way handshake ensures that the source address is not being > spoofed, more aggressive action can be taken based on these limits. s/not being spoofed/more difficult to spoofe/ ;-) Still, detecting the break-in attempts on application layer (e.g. auth log file) is better than on TCP layer. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "It combines all the worst aspects of C and Lisp: a billion different sublanguages in one monolithic executable. It combines the power of C with the readability of PostScript." -- Jamie Zawinski, when asked: "What's wrong with perl?"