From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 10:00:22 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9110106566B for ; Wed, 9 Feb 2011 10:00:21 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id DA4F58FC0A for ; Wed, 9 Feb 2011 10:00:19 +0000 (UTC) Received: by bwz12 with SMTP id 12so723104bwz.13 for ; Wed, 09 Feb 2011 02:00:18 -0800 (PST) Received: by 10.204.51.145 with SMTP id d17mr1274939bkg.24.1297245618552; Wed, 09 Feb 2011 02:00:18 -0800 (PST) Received: from dfleuriot.local ([83.167.62.196]) by mx.google.com with ESMTPS id a17sm82587bku.23.2011.02.09.02.00.16 (version=SSLv3 cipher=RC4-MD5); Wed, 09 Feb 2011 02:00:17 -0800 (PST) Message-ID: <4D5265AF.4060600@my.gd> Date: Wed, 09 Feb 2011 11:00:15 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4D51A061.20704@sentex.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 10:00:22 -0000 Looks like my previous message didn't make it to the list. @OP: nothing indicates that your table is getting populated correctly. While this doesn't address your main issue, you may want to install sshguard which will automatically blacklist attackers and populate a dedicated table. On 2/8/11 11:06 PM, Vadym Chepkov wrote: > > On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote: > >> On 2/8/2011 1:11 PM, Vadym Chepkov wrote: >>> Hi, >>> >>> Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work. >>> >>> Here are the relevant parts: >>> >>> /etc/ssh/sshd_config >>> >>> PasswordAuthentication no >>> MaxAuthTries 1 >>> >>> /etc/pf.conf >>> >>> block in log on $wan_if >>> >>> table persist >>> block drop in quick from >>> >>> pass quick proto tcp to $wan_if port ssh keep state \ >>> (max-src-conn 10, max-src-conn-rate 9/60, overload flush global) >> >> >> On RELENG_7 and 8 I use something like that. Is there a different IP >> they might be connecting to that is not covered under $wan_if? >> > > That would mean this rule doesn't work: > > block in log on $wan_if > > >> >> >> table persist >> table {xx.yy.zz.aa} >> >> >> >> block log all >> block in log quick proto tcp from to any port 22 >> pass in log quick proto tcp from {!} to self port ssh \ >> flags S/SA keep state \ >> (max-src-conn 6, max-src-conn-rate 3/30, \ >> overload flush global) >> pass in log inet proto tcp from to self port ssh keep state >> > > I don't have "trusted" outside IPs, other then that your config seems the same, except mine suppose to be more strict - just one IP instead of "self". > By the way, wouldn't using "self" allow incoming packets to 127.0.0.1? > > Vadym > > >> >> >> ---Mike >> >> >> -- >> ------------------- >> Mike Tancsa, tel +1 519 651 3400 >> Sentex Communications, mike@sentex.net >> Providing Internet services since 1994 www.sentex.net >> Cambridge, Ontario Canada http://www.tancsa.com/ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"