Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 22 Aug 2008 09:48:00 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        Brooks Davis <brooks@freebsd.org>
Cc:        Mikhail Teterin <mi+mill@aldan.algebra.com>, freebsd-stable@freebsd.org, freebsd-security@freebsd.org
Subject:   Re: machine hangs on occasion - correlated with ssh break-in attempts
Message-ID:  <200808221347.m7MDlwaN089762@lava.sentex.ca>
In-Reply-To: <20080821203703.GA47728@lor.one-eyed-alien.net>
References:  <48ADA81E.7090106@aldan.algebra.com> <20080821200309.GA19634@eos.sc1.parodius.com> <20080821201042.GA56182@rink.nu> <20080821203703.GA47728@lor.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 04:37 PM 8/21/2008, Brooks Davis wrote:
>On Thu, Aug 21, 2008 at 10:10:42PM +0200, Rink Springer wrote:
> > On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote:
> > > Finally, consider moving to pf instead, if you really feel ipfw is
> > > what's causing your machine to crash.  You might be pleasantly surprised
> > > by the syntax, and overall administrative usability (it is significantly
> > > superior to ipfw, IMHO).
> >
> > In fact, pf can already do this out-of-the-box, by doing something like:
> >
> > table <sshlusers> persist
> > pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep
> > state \
> >      (max-src-conn 15, max-src-conn-rate 5/3, overload <sshlusers> flush
> > global)
> >
> > If that is not an option, I have found that security/denyhosts works
> > pretty well too (it just adds IP's to /etc/hosts.deniedssh, and
> > host_access(5) denies them based on this)
>
>You almost certainly don't want to rate limit ssh connections, only failed
>ones.  If you rate limit connections and use svn, you're likely to lock your
>self out.

I find a happy balance is to exclude trusted CIDR blocks from the 
rate limiting and let everything else be limited.

e.g.


table <bruteforce> persist
table <SSHTRUSTED> {192.168.0.0/16,1.0.0.0/24}


block log quick proto tcp from <bruteforce> to any port 22


block  in log on $ext_if all

pass log quick proto { tcp } from {!<SSHTRUSTED>} to $myaddress port ssh \
         flags S/SA keep state \
         (max-src-conn 6, max-src-conn-rate 3/30, \
         overload <bruteforce> flush global)

pass in on $ext_if inet proto tcp from <SSHTRUSTED> to $ext_if port 
ssh keep state

and then a crontab entry

*/5 * * * * /usr/local/sbin/expiretable -v  -t 5m bruteforce

         ---Mike

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808221347.m7MDlwaN089762>