From owner-freebsd-pf@FreeBSD.ORG  Wed Feb  9 01:38:20 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B70441065672
	for <freebsd-pf@freebsd.org>; Wed,  9 Feb 2011 01:38:20 +0000 (UTC)
	(envelope-from vchepkov@gmail.com)
Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com
	[209.85.216.175])
	by mx1.freebsd.org (Postfix) with ESMTP id 6A3088FC18
	for <freebsd-pf@freebsd.org>; Wed,  9 Feb 2011 01:38:20 +0000 (UTC)
Received: by qyk8 with SMTP id 8so906297qyk.13
	for <freebsd-pf@freebsd.org>; Tue, 08 Feb 2011 17:38:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:subject:mime-version:content-type:from
	:x-priority:in-reply-to:date:cc:content-transfer-encoding:message-id
	:references:to:x-mailer;
	bh=QYdBmj4wlO0f208Rg5coU6ofgEPTmKR9CmFmWHge46E=;
	b=lpvvQJD7I+tJdRVu4iLTaMj95Pco1sjf6y0iDRVJpKP9BbswYWiThBhREVGT7f19Ka
	X23zKMXPW7YXL9xQ8Bip3R3cIH/xTJnl0N6vO9e0KEi/B5bk9iRttpghJ0Y8pxm9hR+i
	4aaW6x5QsvLqsBfe22A32oXx5N6Vs0mgTCR7Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=subject:mime-version:content-type:from:x-priority:in-reply-to:date
	:cc:content-transfer-encoding:message-id:references:to:x-mailer;
	b=TCP2/0W3wYhNRXT6Vtn1zwbcrGDEKs/665PaNGZkv3oFHFDMXitX6lByAx9G0qQ8Xn
	XebNPHfR6NY9PE0mGqUsC1hoASVnelgk+HGnrIA1f63rwaHjMXch4BR7QWWhDU+MowBx
	g/d4XXDwn2aAVILM10bSowtd/BOVxNoqsHYbg=
Received: by 10.224.74.18 with SMTP id s18mr15584629qaj.327.1297215496079;
	Tue, 08 Feb 2011 17:38:16 -0800 (PST)
Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net
	[173.71.213.51])
	by mx.google.com with ESMTPS id e29sm75171qck.27.2011.02.08.17.38.14
	(version=SSLv3 cipher=OTHER); Tue, 08 Feb 2011 17:38:14 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: Vadym Chepkov <vchepkov@gmail.com>
X-Priority: 3
In-Reply-To: <7919038DEA4842A597EB84C9FD717FA7@charlieroot.de>
Date: Tue, 8 Feb 2011 20:38:13 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <0523C307-8002-4257-89FA-8B8A6621F6D3@gmail.com>
References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
	<5A0B04327C334DA18745BFDBDBECE055@charlieroot.de>
	<A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com>
	<98689EFE59404E4B838E79071AABA8B4@charlieroot.de>
	<56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com>
	<A141DF22-E35C-46BD-B88B-D68800812359@gmail.com>
	<7919038DEA4842A597EB84C9FD717FA7@charlieroot.de>
To: "Helmut Schneider" <jumper99@gmx.de>
X-Mailer: Apple Mail (2.1082)
Cc: freebsd-pf@FreeBSD.org
Subject: Re: brutal SSH attacks
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2011 01:38:20 -0000



On Feb 8, 2011, at 8:36 PM, Helmut Schneider wrote:

>> Here are entries with pass in log enabled:
>>=20
>> 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 =
> 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss =
1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0
>=20
> And 38.x.x.x is the external ip of your gateway?! (my last guess for =
today^Wtonight...)=20

yes, it is