FreeBSD Mail Archives

Date:      Tue, 8 Feb 2011 20:22:44 -0500
From:      Vadym Chepkov <vchepkov@gmail.com>
To:        freebsd-pf@FreeBSD.org
Subject:   Re: brutal SSH attacks
Message-ID:  <1F8586CB-EAF9-4DEA-A8CB-2C3867554C2F@gmail.com>
In-Reply-To: <A141DF22-E35C-46BD-B88B-D68800812359@gmail.com>
References:  <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <A141DF22-E35C-46BD-B88B-D68800812359@gmail.com>

I should have mentioned it.

Some IPs do get into abusive_hosts table, but some do not and I don't =
understand, why, how do they avoid of getting caught.

Vadym


On Feb 8, 2011, at 8:07 PM, Vadym Chepkov wrote:

>=20
> On Feb 8, 2011, at 7:11 PM, Vadym Chepkov wrote:
>=20
>>=20
>> On Feb 8, 2011, at 7:01 PM, Helmut Schneider wrote:
>>=20
>>>>> Check your pflog. The ruleset itself seems fine (if it is complete =
and you did not forget to post
>>>>> a vital part). We also can assume that pf is enabled, can we?
>>>>=20
>>>> What should I be looking for in pflog? I can't find anything ssh =
related. I posted full ruleset too.
>>> [...]
>>>> [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat =
$log|tcpdump -r - port ssh ; done
>>>> reading from file -, link-type PFLOG (OpenBSD pflog file)
>>>> reading from file -, link-type PFLOG (OpenBSD pflog file)
>>>> reading from file -, link-type PFLOG (OpenBSD pflog file)
>>>> reading from file -, link-type PFLOG (OpenBSD pflog file)
>>>=20
>>> Well...
>>>=20
>>>> block drop in quick from <abusive_hosts> to any
>>>> pass quick inet proto tcp from any to 38.X.X.X port =3D ssh flags =
S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate =
9/60, overload <abusive_hosts> flush global, src.track 60)
>>>=20
>>> "block drop in quick log..." and "pass quick inet proto log" might =
be useful. BTW, what version of FreeBSD are you using? The machine isn't =
multi-homed, is it?=20
>>=20
>> 8.1-RELEASE-p1, just one external interface.
>>=20
>> I will add "log" to "pass ssh", but what would I "block drop in =
quick" though?
>=20
>=20
> Here are entries with pass in log enabled:
>=20
> 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 =
> 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss =
1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0
> 19:59:09.879718 rule 5/0(match): pass in on bce1: 93.174.31.134.37700 =
> 38.X.X.X.22: Flags [S], seq 442612509, win 5840, options [mss =
1460,sackOK,TS val 395812607 ecr 0,nop,wscale 7], length 0
> 19:59:11.585464 rule 5/0(match): pass in on bce1: 93.174.31.134.38063 =
> 38.X.X.X.22: Flags [S], seq 452334454, win 5840, options [mss =
1460,sackOK,TS val 395814310 ecr 0,nop,wscale 7], length 0
> 19:59:13.343901 rule 5/0(match): pass in on bce1: 93.174.31.134.38266 =
> 38.X.X.X.22: Flags [S], seq 460272696, win 5840, options [mss =
1460,sackOK,TS val 395816072 ecr 0,nop,wscale 7], length 0
> 19:59:15.083747 rule 5/0(match): pass in on bce1: 93.174.31.134.39088 =
> 38.X.X.X.22: Flags [S], seq 451620226, win 5840, options [mss =
1460,sackOK,TS val 395817812 ecr 0,nop,wscale 7], length 0
> 19:59:16.825914 rule 5/0(match): pass in on bce1: 93.174.31.134.39441 =
> 38.X.X.X.22: Flags [S], seq 449195625, win 5840, options [mss =
1460,sackOK,TS val 395819550 ecr 0,nop,wscale 7], length 0
> 19:59:18.556231 rule 5/0(match): pass in on bce1: 93.174.31.134.39722 =
> 38.X.X.X.22: Flags [S], seq 452162408, win 5840, options [mss =
1460,sackOK,TS val 395821284 ecr 0,nop,wscale 7], length 0
> 19:59:20.263343 rule 5/0(match): pass in on bce1: 93.174.31.134.40441 =
> 38.X.X.X.22: Flags [S], seq 466289680, win 5840, options [mss =
1460,sackOK,TS val 395822987 ecr 0,nop,wscale 7], length 0
> 19:59:21.996759 rule 5/0(match): pass in on bce1: 93.174.31.134.40812 =
> 38.X.X.X.22: Flags [S], seq 466926642, win 5840, options [mss =
1460,sackOK,TS val 395824721 ecr 0,nop,wscale 7], length 0
> 19:59:23.723164 rule 5/0(match): pass in on bce1: 93.174.31.134.41081 =
> 38.X.X.X.22: Flags [S], seq 470787551, win 5840, options [mss =
1460,sackOK,TS val 395826451 ecr 0,nop,wscale 7], length 0
> 19:59:25.424186 rule 5/0(match): pass in on bce1: 93.174.31.134.41808 =
> 38.X.X.X.22: Flags [S], seq 456764787, win 5840, options [mss =
1460,sackOK,TS val 395828152 ecr 0,nop,wscale 7], length 0
>=20
>=20
> No idea, why it didn't stop after 9 attempts.
>=20
> Vadym
>=20
>=20

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1F8586CB-EAF9-4DEA-A8CB-2C3867554C2F>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation