From owner-freebsd-pf@FreeBSD.ORG  Wed Feb  9 01:18:14 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2B786106566C
	for <freebsd-pf@freebsd.org>; Wed,  9 Feb 2011 01:18:14 +0000 (UTC)
	(envelope-from lukejee@gmail.com)
Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com
	[209.85.216.182])
	by mx1.freebsd.org (Postfix) with ESMTP id D5A408FC12
	for <freebsd-pf@freebsd.org>; Wed,  9 Feb 2011 01:18:13 +0000 (UTC)
Received: by qyk36 with SMTP id 36so4643173qyk.13
	for <freebsd-pf@freebsd.org>; Tue, 08 Feb 2011 17:18:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:cc:content-type;
	bh=t7YKLFTwQwWvTAXZI34rJKdzvC7PVgzSwQksgbHYMwA=;
	b=xAPlXlsZ4l9pw+axrAkN8PLDvr+tIJxPJb7w7Kot+px/De5uPK1ubNH1iTEzulqRjX
	0xquB4lckP5ih8jn5pJR39GBrDUrRTgocv4vPP0fCRKHYGo2EZMVAW+Ixmy9guDrFMnt
	b2gUCw96W1gCY4GEXkASP6VuNQOBYXjFCPJog=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	b=ifg3gxQypokfs6Iyt5U3irAvF/QL+lkJkocJbA48QE1BKnchBebfLBXsDtboCP9JJm
	+M3iZDtC+6mI5froHphcPs9TyGYB8nLCSPsRPtxeX/igWAEMALSJbQ5G7Vcoi9h8+Bv4
	J+qtzK8Eo++vI1P7fn6tVUB6N0GcWEYaMQHoc=
MIME-Version: 1.0
Received: by 10.229.183.193 with SMTP id ch1mr12681286qcb.107.1297212441426;
	Tue, 08 Feb 2011 16:47:21 -0800 (PST)
Received: by 10.229.27.211 with HTTP; Tue, 8 Feb 2011 16:47:21 -0800 (PST)
In-Reply-To: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
Date: Wed, 9 Feb 2011 08:47:21 +0800
Message-ID: <AANLkTiniSyhSMwMwkKaw_74PLC1TOgcArWmLp=9XF_Zy@mail.gmail.com>
From: Luke Jee <lukejee@gmail.com>
To: Vadym Chepkov <vchepkov@gmail.com>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: freebsd-pf@freebsd.org
Subject: Re: brutal SSH attacks
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2011 01:18:14 -0000

Hi Vadyam,

try this:
table <abusive_hosts>

remove persist, i remember it means table will readonly

On Wed, Feb 9, 2011 at 2:11 AM, Vadym Chepkov <vchepkov@gmail.com> wrote:

> Hi,
>
> Could somebody help in figuring out why PF configuration meant to prevent
> brutal SSH attacks doesn't work.
>
> Here are the relevant parts:
>
> /etc/ssh/sshd_config
>
> PasswordAuthentication no
> MaxAuthTries 1
>
> /etc/pf.conf
>
> block in log on $wan_if
>
> table <abusive_hosts> persist
> block drop in quick from <abusive_hosts>
>
> pass quick proto tcp to $wan_if port ssh keep state \
> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush
> global)
>
> I would expect if somebody tried to make more then 9 connections a minute
> would have been blocked.
>
> But it's not the case:
>
> Feb  7 19:20:03 castor sshd[21416]: Invalid user peyton from 113.185.0.16
> Feb  7 19:20:06 castor sshd[21418]: Invalid user lindsey from 113.185.0.16
> Feb  7 19:20:10 castor sshd[21420]: Invalid user ashlyn from 113.185.0.16
> Feb  7 19:20:13 castor sshd[21422]: Invalid user carly from 113.185.0.16
> Feb  7 19:20:17 castor sshd[21424]: Invalid user marissa from 113.185.0.16
> Feb  7 19:20:20 castor sshd[21426]: Invalid user gracie from 113.185.0.16
> Feb  7 19:20:24 castor sshd[21428]: Invalid user sierra from 113.185.0.16
> Feb  7 19:20:27 castor sshd[21430]: Invalid user lillian from 113.185.0.16
> Feb  7 19:20:31 castor sshd[21432]: Invalid user jillian from 113.185.0.16
> Feb  7 19:20:34 castor sshd[21434]: Invalid user reagan from 113.185.0.16
> Feb  7 19:20:37 castor sshd[21436]: Invalid user shelby from 113.185.0.16
> Feb  7 19:20:41 castor sshd[21438]: Invalid user amelia from 113.185.0.16
> Feb  7 19:20:44 castor sshd[21442]: Invalid user jada from 113.185.0.16
> Feb  7 19:20:48 castor sshd[21444]: Invalid user kendall from 113.185.0.16
> Feb  7 19:20:51 castor sshd[21446]: Invalid user courtney from 113.185.0.16
> Feb  7 19:20:54 castor sshd[21448]: Invalid user brooklyn from 113.185.0.16
> Feb  7 19:20:58 castor sshd[21450]: Invalid user autumn from 113.185.0.16
> Feb  7 19:21:01 castor sshd[21452]: Invalid user mary from 113.185.0.16
>
> What did I miss?
>
> Thank you,
> Vadym
>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>



-- 
Luke Jee
CEO
Prevantage Corporation