From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 01:22:46 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8891E106564A for ; Wed, 9 Feb 2011 01:22:46 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 336D38FC14 for ; Wed, 9 Feb 2011 01:22:46 +0000 (UTC) Received: by qyk36 with SMTP id 36so4644962qyk.13 for ; Tue, 08 Feb 2011 17:22:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :x-priority:in-reply-to:date:content-transfer-encoding:message-id :references:to:x-mailer; bh=09ZgCp7Z6pEyqgAvDGjjWTKapsyjelMS/7zXDsMiqdA=; b=XQYu0LT/zCngcKTcryJ3C/mofw2P3N8wVxq8VDA+Pm+7P0CCe0PbtPm2wl5rZcInhT HjZoKJUOqn89J9RNDuuMM7JQ7hAX+aLuaTKvw3c3XnYCqNj2vCLOGgEv/szh0L+Zgqae sX0NjlQ6AFaL0AYt4PWcAtXr9691jpfPQEV8Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:x-priority:in-reply-to:date :content-transfer-encoding:message-id:references:to:x-mailer; b=odEfmp7+zSj1m7/IT9R4q1G0hsglYK62o8du2XjHMf00KD6AU0VnySkb+QOe866Xbz M6iOU2sQBIfaHI1Nq7diQJCNGOXW7AjCxMD+HE768/gSp2nUNfbEaRGi/9Dh4RLyMrpW P2Cargn4JfGHz+kNzIsGGfaTJ4i+O0FObW+lM= Received: by 10.229.238.82 with SMTP id kr18mr14750653qcb.98.1297214565595; Tue, 08 Feb 2011 17:22:45 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id s10sm62591qco.35.2011.02.08.17.22.44 (version=SSLv3 cipher=OTHER); Tue, 08 Feb 2011 17:22:45 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov X-Priority: 3 In-Reply-To: Date: Tue, 8 Feb 2011 20:22:44 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <1F8586CB-EAF9-4DEA-A8CB-2C3867554C2F@gmail.com> References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> To: freebsd-pf@FreeBSD.org X-Mailer: Apple Mail (2.1082) Cc: Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 01:22:46 -0000 I should have mentioned it. Some IPs do get into abusive_hosts table, but some do not and I don't = understand, why, how do they avoid of getting caught. Vadym On Feb 8, 2011, at 8:07 PM, Vadym Chepkov wrote: >=20 > On Feb 8, 2011, at 7:11 PM, Vadym Chepkov wrote: >=20 >>=20 >> On Feb 8, 2011, at 7:01 PM, Helmut Schneider wrote: >>=20 >>>>> Check your pflog. The ruleset itself seems fine (if it is complete = and you did not forget to post >>>>> a vital part). We also can assume that pf is enabled, can we? >>>>=20 >>>> What should I be looking for in pflog? I can't find anything ssh = related. I posted full ruleset too. >>> [...] >>>> [root@castor /var/log]# for log in pflog.?.bz2 ; do bzcat = $log|tcpdump -r - port ssh ; done >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>> reading from file -, link-type PFLOG (OpenBSD pflog file) >>>=20 >>> Well... >>>=20 >>>> block drop in quick from to any >>>> pass quick inet proto tcp from any to 38.X.X.X port =3D ssh flags = S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate = 9/60, overload flush global, src.track 60) >>>=20 >>> "block drop in quick log..." and "pass quick inet proto log" might = be useful. BTW, what version of FreeBSD are you using? The machine isn't = multi-homed, is it?=20 >>=20 >> 8.1-RELEASE-p1, just one external interface. >>=20 >> I will add "log" to "pass ssh", but what would I "block drop in = quick" though? >=20 >=20 > Here are entries with pass in log enabled: >=20 > 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 = > 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss = 1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0 > 19:59:09.879718 rule 5/0(match): pass in on bce1: 93.174.31.134.37700 = > 38.X.X.X.22: Flags [S], seq 442612509, win 5840, options [mss = 1460,sackOK,TS val 395812607 ecr 0,nop,wscale 7], length 0 > 19:59:11.585464 rule 5/0(match): pass in on bce1: 93.174.31.134.38063 = > 38.X.X.X.22: Flags [S], seq 452334454, win 5840, options [mss = 1460,sackOK,TS val 395814310 ecr 0,nop,wscale 7], length 0 > 19:59:13.343901 rule 5/0(match): pass in on bce1: 93.174.31.134.38266 = > 38.X.X.X.22: Flags [S], seq 460272696, win 5840, options [mss = 1460,sackOK,TS val 395816072 ecr 0,nop,wscale 7], length 0 > 19:59:15.083747 rule 5/0(match): pass in on bce1: 93.174.31.134.39088 = > 38.X.X.X.22: Flags [S], seq 451620226, win 5840, options [mss = 1460,sackOK,TS val 395817812 ecr 0,nop,wscale 7], length 0 > 19:59:16.825914 rule 5/0(match): pass in on bce1: 93.174.31.134.39441 = > 38.X.X.X.22: Flags [S], seq 449195625, win 5840, options [mss = 1460,sackOK,TS val 395819550 ecr 0,nop,wscale 7], length 0 > 19:59:18.556231 rule 5/0(match): pass in on bce1: 93.174.31.134.39722 = > 38.X.X.X.22: Flags [S], seq 452162408, win 5840, options [mss = 1460,sackOK,TS val 395821284 ecr 0,nop,wscale 7], length 0 > 19:59:20.263343 rule 5/0(match): pass in on bce1: 93.174.31.134.40441 = > 38.X.X.X.22: Flags [S], seq 466289680, win 5840, options [mss = 1460,sackOK,TS val 395822987 ecr 0,nop,wscale 7], length 0 > 19:59:21.996759 rule 5/0(match): pass in on bce1: 93.174.31.134.40812 = > 38.X.X.X.22: Flags [S], seq 466926642, win 5840, options [mss = 1460,sackOK,TS val 395824721 ecr 0,nop,wscale 7], length 0 > 19:59:23.723164 rule 5/0(match): pass in on bce1: 93.174.31.134.41081 = > 38.X.X.X.22: Flags [S], seq 470787551, win 5840, options [mss = 1460,sackOK,TS val 395826451 ecr 0,nop,wscale 7], length 0 > 19:59:25.424186 rule 5/0(match): pass in on bce1: 93.174.31.134.41808 = > 38.X.X.X.22: Flags [S], seq 456764787, win 5840, options [mss = 1460,sackOK,TS val 395828152 ecr 0,nop,wscale 7], length 0 >=20 >=20 > No idea, why it didn't stop after 9 attempts. >=20 > Vadym >=20 >=20