Date: Wed, 9 Feb 2011 00:26:59 -0500 From: jhell <jhell@DataIX.net> To: Vadym Chepkov <vchepkov@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks Message-ID: <alpine.BSF.2.00.1102090021320.2304@qvfongpu.qngnvk.ybpny> In-Reply-To: <0523C307-8002-4257-89FA-8B8A6621F6D3@gmail.com> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <A141DF22-E35C-46BD-B88B-D68800812359@gmail.com> <7919038DEA4842A597EB84C9FD717FA7@charlieroot.de> <0523C307-8002-4257-89FA-8B8A6621F6D3@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Feb 2011 20:38, vchepkov@ wrote: > > > On Feb 8, 2011, at 8:36 PM, Helmut Schneider wrote: > >>> Here are entries with pass in log enabled: >>> >>> 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 > 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss 1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0 >> >> And 38.x.x.x is the external ip of your gateway?! (my last guess for today^Wtonight...) > > yes, it is > Your max-src-conn is higher than your initial max-src-conn-rate. Try adjusting max-src-conn to 3 which is 1/3 of what your rate is and youll find that you will have much different results. Brute force attacks usually will come in faster than: max-src-conn 5, max-src-conn-rate 15/30 which in it self is a little restrictive but works out in quite a few instances where I have implemented this same functionality. Good Luck, - -- jhell -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJNUiWuAAoJEJBXh4mJ2FR+gSUH/RI4ZR6XZ9alGRIBDuN6zj7j F+9h/usJiLIRNrDZHG7NHxZiFKDiof9nVsvWR3Ho6QLwsZri7+kihY+i/21rBGMw DclEO0CcnnGu7rkQflPQ0q3DTGJRh7kR+k7gnGH8udQHhoZOx1WVs46Md0W231S/ 2tqKNYkANAeZewDmprF/smrg4GS2tKuiAzvVu4lgCPvzifn1DXPl4iWmJuAyL84W oY/4m9ax8Rwy6q1IZNS1L+z5evSGMaxGUP+IeXWr/PgCoDm5VP9B/Nbqwrcb316m SG81/Tuxex5gisCYd3052QsGfuCu8Z18CgPkyssTMHNXd9IIZLBFyw1tPleKTFE= =o9x4 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1102090021320.2304>