From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 00:51:45 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F155106564A for ; Wed, 9 Feb 2011 00:51:45 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id CF2C48FC21 for ; Wed, 9 Feb 2011 00:51:44 +0000 (UTC) Received: by qwj9 with SMTP id 9so4680075qwj.13 for ; Tue, 08 Feb 2011 16:51:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to:x-mailer; bh=WOvDYOxUIquasl3Ie6xMlaL9+mcr3BKDw7heN6wqRME=; b=vuqbVA3JcURPA41U+2dBze/WG3DKqzmklEP1MSStxGmTqZeKG96i5KfAxF5JuGDdQJ 3jXuHOalCdUfsj1iry33X0DKe6Lc1ixUWtxrHBOwAx0Z88PPKwLcBpYHUIsLSkQPzO80 DPkI7Vwc3vxK+PIJvuubk7NBU8N/MLEDuRnT0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; b=AvWlrCsBsD+fsu1ymk6BqTzt9Zs17i8V64YYBt0f4Rr6mOp2mj5yiNQDXjTAYT/GMJ gO1k8YxFu7db9AnMj9mk0ahQSyEEPuj38TXJUibAV0Ss7l70eVflCew6W0jefZ3kH6Xy pbfGn4rqz1LLO6CU+ygRZ+jrugY0yHPqa97t4= Received: by 10.229.87.149 with SMTP id w21mr12549725qcl.68.1297212703925; Tue, 08 Feb 2011 16:51:43 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id t7sm48291qcs.40.2011.02.08.16.51.42 (version=SSLv3 cipher=OTHER); Tue, 08 Feb 2011 16:51:43 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) From: Vadym Chepkov In-Reply-To: Date: Tue, 8 Feb 2011 19:51:42 -0500 Message-Id: References: To: Luke Jee X-Mailer: Apple Mail (2.1082) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 00:51:45 -0000 On Feb 8, 2011, at 7:47 PM, Luke Jee wrote: > Hi Vadyam, >=20 > try this: > table >=20 > remove persist, i remember it means table will readonly That contradicts the manual: Tables may be defined with the following two attributes: persist The persist flag forces the kernel to keep the table even = when no rules refer to it. If the flag is not set, the kernel = will automatically remove the table when the last rule = referring to it is flushed. const The const flag prevents the user from altering the = contents of the table once it has been created. Without that flag, = pfctl(8) can be used to add or remove addresses from the table at = any time, even when running with securelevel(7) =3D 2. For example, table const { 10/8, 172.16/12, 192.168/16 } table persist block on fxp0 from { , } to any >=20 > On Wed, Feb 9, 2011 at 2:11 AM, Vadym Chepkov = wrote: > Hi, >=20 > Could somebody help in figuring out why PF configuration meant to = prevent brutal SSH attacks doesn't work. >=20 > Here are the relevant parts: >=20 > /etc/ssh/sshd_config >=20 > PasswordAuthentication no > MaxAuthTries 1 >=20 > /etc/pf.conf >=20 > block in log on $wan_if >=20 > table persist > block drop in quick from >=20 > pass quick proto tcp to $wan_if port ssh keep state \ > (max-src-conn 10, max-src-conn-rate 9/60, overload = flush global) >=20 > I would expect if somebody tried to make more then 9 connections a = minute would have been blocked. >=20 > But it's not the case: >=20 > Feb 7 19:20:03 castor sshd[21416]: Invalid user peyton from = 113.185.0.16 > Feb 7 19:20:06 castor sshd[21418]: Invalid user lindsey from = 113.185.0.16 > Feb 7 19:20:10 castor sshd[21420]: Invalid user ashlyn from = 113.185.0.16 > Feb 7 19:20:13 castor sshd[21422]: Invalid user carly from = 113.185.0.16 > Feb 7 19:20:17 castor sshd[21424]: Invalid user marissa from = 113.185.0.16 > Feb 7 19:20:20 castor sshd[21426]: Invalid user gracie from = 113.185.0.16 > Feb 7 19:20:24 castor sshd[21428]: Invalid user sierra from = 113.185.0.16 > Feb 7 19:20:27 castor sshd[21430]: Invalid user lillian from = 113.185.0.16 > Feb 7 19:20:31 castor sshd[21432]: Invalid user jillian from = 113.185.0.16 > Feb 7 19:20:34 castor sshd[21434]: Invalid user reagan from = 113.185.0.16 > Feb 7 19:20:37 castor sshd[21436]: Invalid user shelby from = 113.185.0.16 > Feb 7 19:20:41 castor sshd[21438]: Invalid user amelia from = 113.185.0.16 > Feb 7 19:20:44 castor sshd[21442]: Invalid user jada from = 113.185.0.16 > Feb 7 19:20:48 castor sshd[21444]: Invalid user kendall from = 113.185.0.16 > Feb 7 19:20:51 castor sshd[21446]: Invalid user courtney from = 113.185.0.16 > Feb 7 19:20:54 castor sshd[21448]: Invalid user brooklyn from = 113.185.0.16 > Feb 7 19:20:58 castor sshd[21450]: Invalid user autumn from = 113.185.0.16 > Feb 7 19:21:01 castor sshd[21452]: Invalid user mary from = 113.185.0.16 >=20 > What did I miss? >=20 > Thank you, > Vadym >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >=20 >=20 >=20 > --=20 > Luke Jee > CEO > Prevantage Corporation