From owner-freebsd-pf@FreeBSD.ORG Tue Apr 24 19:26:56 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7D39B16A402 for ; Tue, 24 Apr 2007 19:26:56 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.freebsd.org (Postfix) with ESMTP id 3BE7A13C45A for ; Tue, 24 Apr 2007 19:26:56 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id AD8707C0BD6; Tue, 24 Apr 2007 21:07:03 +0200 (CEST) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id zDxMS5uXjXDN; Tue, 24 Apr 2007 21:07:03 +0200 (CEST) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 4F7737C0BDD; Tue, 24 Apr 2007 21:07:03 +0200 (CEST) Date: Tue, 24 Apr 2007 21:07:03 +0200 From: Gergely CZUCZY To: Andrei Kolu Message-ID: <20070424190702.GA91635@harmless.hu> References: <00b701c7869a$795c0db0$0200a8c0@satellite> <200704242116.49805.antik@pcbsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline In-Reply-To: <200704242116.49805.antik@pcbsd.org> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: preventing ssh brute force attacks, swatch and users and table X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2007 19:26:56 -0000 --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 24, 2007 at 09:16:49PM +0300, Andrei Kolu wrote: > On Tuesday 24 April 2007 21:00:41 Dave wrote: > > Hello, > > I've got a machine running ssh and i'm trying to cut down on brute > > force attacks on it. I'm running pf on a freebsd 6.2 box and have added= in > > swatch to try to curve these attacks. The problem is nothing is being a= dded > > to either the memory hackers table nor the ondisk copy of it. I know i'm > > getting hits because i'm seeing entries in my auth.log like this: > > > > Apr 21 06:18:38 zeus sshd[10609]: Did not receive identification string > > from 125.33.163.188 I've used a pf ruleset to block too intensive connect attempts to my sshd, as it was documented in the openbsd FAQ. I block IPs permanently, and if someone was blocked due to too intensive ssh-ing, then the IP will absolutely be blocked, globally. I auto-save this table, and it's an append-only one. This is a really easy policy, works great. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owFNVEGLJDUUHmcUMSCy/+DpwQG3q6zq7m27S2bXdWdnHFzdFlo9rB5SqVdVoVNJ bZKa3ppf4EFQPCroxZsIHvbuVRDFHyCIh/0LHsWXKme0GehM8vJ93/u+1/n8+YO9 /Wu//vD4wfVPv/jqqe+f/iV/pem811XUcHsudZQmSRqt0sXsRjSPMEkSMS9ni3Je CrE6id//4I7RHrWPNn2LGXh85F9tFZf6dRA1tw79UefLaMku646la42TXhqdgdRK arw621iuXYk2uquFKaSuMnjYGY9F1FqpPc8VMnZfw6bDCdxuLUznE5gmyWvAPSSr LF1k89X6HbiezJKEKnRhUcLbRnWws4STsZswXncF7+l2AJFqhJimWZJk8xSO+Tn+ V38T3kKlzGRYhs/ZIR1XxgOHhoua9IPttCa14FwNXBcgDxvwtg9b3oDoPBRmp8Fo yG3ncYAqjRVIuj0XWxeOpI8Ju7kCa8uwy6G0iLkrYBFPITePBoI6SORFgcURIxMH QLfjXtSBkKhHXktVvkZ3xRPDpkZorSEnG5AOtPF1IKNljmHBj1iAHRAJAyXdtwEE GmwMAdeEg9bBkAbdHw+NLqTbgjBtD6Yce4GtNrvgxQBWofeBoJY+cAnekaxglMOB mPK3Eh11A00PvPN1rEwFSm5DD9INWQxIQ/ApJIssXWazJVxg54L1xYM0WSSrjzM4 lkXoDCwKlOSBLAhdllLwMHbgiElXYwrWNJBOb8SzWUwzHqfLJRsCJnUFmU8h2E6R gz64kSsjtrQwpJIG1gVsYbRG4YPD2LTUmzeMGgh6JsCpHw87+iqM6BpSQajU4WBZ izrkenL7vWDWiH22dqxF23BNtaqfjONUgjMNGpq0ADVUEk7R4ZD2/+Uw4o2ouUmg GHnO1rCTSgHPHf0QPKqe7L8EmUClTM6V6mN2Flw3kePno+NjxP9K8IeOFsBbUl1E RhMK6YkZ24RK+uPkdsAB5K6H1igpSP7OWJruio481b7Z44SxU7RVUHHnohMXPWu4 VN5kNCDDdiyG7Tfo8WjIeBfXHWNRdDRN2IeIOoyIR0fzdUr/UEoUvVHnV0NNpzU9 BtxKR+o+uXXwzF54pS5fuGv78oW9bz76dvPjd8/+9ef+b+u/n7wLX54c3Htp7+v0 7r3Tn3968eXH69//eO7Jor+/tp/9Aw== =xvw4 -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2--