Date: Wed, 9 Feb 2011 08:47:21 +0800 From: Luke Jee <lukejee@gmail.com> To: Vadym Chepkov <vchepkov@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks Message-ID: <AANLkTiniSyhSMwMwkKaw_74PLC1TOgcArWmLp=9XF_Zy@mail.gmail.com> In-Reply-To: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Vadyam, try this: table <abusive_hosts> remove persist, i remember it means table will readonly On Wed, Feb 9, 2011 at 2:11 AM, Vadym Chepkov <vchepkov@gmail.com> wrote: > Hi, > > Could somebody help in figuring out why PF configuration meant to prevent > brutal SSH attacks doesn't work. > > Here are the relevant parts: > > /etc/ssh/sshd_config > > PasswordAuthentication no > MaxAuthTries 1 > > /etc/pf.conf > > block in log on $wan_if > > table <abusive_hosts> persist > block drop in quick from <abusive_hosts> > > pass quick proto tcp to $wan_if port ssh keep state \ > (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush > global) > > I would expect if somebody tried to make more then 9 connections a minute > would have been blocked. > > But it's not the case: > > Feb 7 19:20:03 castor sshd[21416]: Invalid user peyton from 113.185.0.16 > Feb 7 19:20:06 castor sshd[21418]: Invalid user lindsey from 113.185.0.16 > Feb 7 19:20:10 castor sshd[21420]: Invalid user ashlyn from 113.185.0.16 > Feb 7 19:20:13 castor sshd[21422]: Invalid user carly from 113.185.0.16 > Feb 7 19:20:17 castor sshd[21424]: Invalid user marissa from 113.185.0.16 > Feb 7 19:20:20 castor sshd[21426]: Invalid user gracie from 113.185.0.16 > Feb 7 19:20:24 castor sshd[21428]: Invalid user sierra from 113.185.0.16 > Feb 7 19:20:27 castor sshd[21430]: Invalid user lillian from 113.185.0.16 > Feb 7 19:20:31 castor sshd[21432]: Invalid user jillian from 113.185.0.16 > Feb 7 19:20:34 castor sshd[21434]: Invalid user reagan from 113.185.0.16 > Feb 7 19:20:37 castor sshd[21436]: Invalid user shelby from 113.185.0.16 > Feb 7 19:20:41 castor sshd[21438]: Invalid user amelia from 113.185.0.16 > Feb 7 19:20:44 castor sshd[21442]: Invalid user jada from 113.185.0.16 > Feb 7 19:20:48 castor sshd[21444]: Invalid user kendall from 113.185.0.16 > Feb 7 19:20:51 castor sshd[21446]: Invalid user courtney from 113.185.0.16 > Feb 7 19:20:54 castor sshd[21448]: Invalid user brooklyn from 113.185.0.16 > Feb 7 19:20:58 castor sshd[21450]: Invalid user autumn from 113.185.0.16 > Feb 7 19:21:01 castor sshd[21452]: Invalid user mary from 113.185.0.16 > > What did I miss? > > Thank you, > Vadym > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > -- Luke Jee CEO Prevantage Corporation
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTiniSyhSMwMwkKaw_74PLC1TOgcArWmLp=9XF_Zy>