Date: Thu, 22 Mar 2007 09:57:22 +1100 From: Carl Makin <carl@xena.IPAustralia.gov.au> To: freebsd-security@freebsd.org Subject: Re: Reality check: IPFW sees SSH traffic that sshd does not? Message-ID: <82953429-B11F-474B-9CB3-E055B07E9767@xena.ipaustralia.gov.au> In-Reply-To: <20070321145041.GG14837@codelabs.ru> References: <20070321123033.GD31533@bunrab.catwhisker.org> <20070321092724.fd6f1541.wmoran@collaborativefusion.com> <20070321103006.c57729cc.wmoran@collaborativefusion.com> <20070321145041.GG14837@codelabs.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22/03/2007, at 1:50 AM, Eygene Ryabinkin wrote: > You can use the following rule that will put very fast SSH connectors > to the pf table ssh_scans: > ----- > pass in quick on $iface proto tcp from any to $ip port 22 flags S/ > AUSPF \ > keep state (max-src-conn 4, max-src-conn-rate 6/1, overload > <ssh_scans> flush) > ----- Interesting, I really must get off my ass and look closely at pf. I use the Simple Event Correlater (sec, in ports) to parse the auth logfile and add ipfw rules blocking the originating site once it sees 3 authentication failures of any kind from a single address. One of the sec rules looks like this; ----------------------- type=SingleWithThreshold ptype=RegExp pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2 desc=SSH attack from $2 action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed password for $1 from $2' /usr/bin/ma il -s 'SSH Attack from $2' me@myaddress.com window=60 thresh=3 ----------------------- ipfwadd.sh is just /sbin/ipfw add 25 deny log tcp from $1 to any in via tun0 ----------------------- I also have a rule that emails me whenever someone successfully logs into the system. It's not foolproof, but it helps. Carl.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?82953429-B11F-474B-9CB3-E055B07E9767>