From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 05:50:13 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 870771065670 for ; Wed, 9 Feb 2011 05:50:13 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 422148FC17 for ; Wed, 9 Feb 2011 05:50:12 +0000 (UTC) Received: by iwn39 with SMTP id 39so6552416iwn.13 for ; Tue, 08 Feb 2011 21:50:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:in-reply-to :message-id:references:user-agent:x-openpgp-key-id :x-openpgp-key-fingerprint:mime-version:content-type; bh=byrZ/6iB0dnyWHa0bb73BVRJ9x2paaxNpb+GHtoFPeQ=; b=VXG19R/QrYhukBLnkobBLvnQi9V6yYaEnXVhPxFeuZVOS1nfAmX/gIToDEHjLCpNHQ RqLXPi0rU62842PWtDeXbE/dyJukuwFDPwJBUEl3I1Jfqp3+vDa6ZcD2wLLrdhjz2FyF T9xZOY/sLeHkjwO+Bp1E0sQqANgv/zFSkefDo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=hLCbxoWTK+mKX3CLCU8KjjrUSMqnvj1WivDPSYBBVKpWwSgbij0vRfnWg7+KdBhl3a ftrBoNjwow4usSBpt8y5vHTBE3b6Z+rY014QVdkTzDZVCZ9oWeVWmiIcLS6tTelrPcCU EOwXXRWCE1HSjlTKL9Q6FPazxcuwshqqZwLtg= Received: by 10.231.173.138 with SMTP id p10mr20288937ibz.48.1297229241972; Tue, 08 Feb 2011 21:27:21 -0800 (PST) Received: from disbatch.dataix.local (adsl-99-19-40-173.dsl.klmzmi.sbcglobal.net [99.19.40.173]) by mx.google.com with ESMTPS id i16sm429376ibl.6.2011.02.08.21.27.19 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 08 Feb 2011 21:27:20 -0800 (PST) Sender: "J. Hellenthal" Date: Wed, 9 Feb 2011 00:26:59 -0500 From: jhell To: Vadym Chepkov In-Reply-To: <0523C307-8002-4257-89FA-8B8A6621F6D3@gmail.com> Message-ID: References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> <7919038DEA4842A597EB84C9FD717FA7@charlieroot.de> <0523C307-8002-4257-89FA-8B8A6621F6D3@gmail.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 05:50:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 8 Feb 2011 20:38, vchepkov@ wrote: > > > On Feb 8, 2011, at 8:36 PM, Helmut Schneider wrote: > >>> Here are entries with pass in log enabled: >>> >>> 19:59:08.149358 rule 5/0(match): pass in on bce1: 93.174.31.134.36872 > 38.X.X.X.22: Flags [S], seq 441726758, win 5840, options [mss 1460,sackOK,TS val 395810874 ecr 0,nop,wscale 7], length 0 >> >> And 38.x.x.x is the external ip of your gateway?! (my last guess for today^Wtonight...) > > yes, it is > Your max-src-conn is higher than your initial max-src-conn-rate. Try adjusting max-src-conn to 3 which is 1/3 of what your rate is and youll find that you will have much different results. Brute force attacks usually will come in faster than: max-src-conn 5, max-src-conn-rate 15/30 which in it self is a little restrictive but works out in quite a few instances where I have implemented this same functionality. Good Luck, - -- jhell -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJNUiWuAAoJEJBXh4mJ2FR+gSUH/RI4ZR6XZ9alGRIBDuN6zj7j F+9h/usJiLIRNrDZHG7NHxZiFKDiof9nVsvWR3Ho6QLwsZri7+kihY+i/21rBGMw DclEO0CcnnGu7rkQflPQ0q3DTGJRh7kR+k7gnGH8udQHhoZOx1WVs46Md0W231S/ 2tqKNYkANAeZewDmprF/smrg4GS2tKuiAzvVu4lgCPvzifn1DXPl4iWmJuAyL84W oY/4m9ax8Rwy6q1IZNS1L+z5evSGMaxGUP+IeXWr/PgCoDm5VP9B/Nbqwrcb316m SG81/Tuxex5gisCYd3052QsGfuCu8Z18CgPkyssTMHNXd9IIZLBFyw1tPleKTFE= =o9x4 -----END PGP SIGNATURE-----