From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 18:51:18 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F928106566C for ; Wed, 9 Feb 2011 18:51:18 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id D03D98FC17 for ; Wed, 9 Feb 2011 18:51:17 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p19IpIYj005665 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Wed, 9 Feb 2011 19:51:18 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p19IpIix025823; Wed, 9 Feb 2011 19:51:18 +0100 (MET) Date: Wed, 9 Feb 2011 19:51:18 +0100 From: Daniel Hartmeier To: Vadym Chepkov Message-ID: <20110209185118.GA16942@insomnia.benzedrine.cx> References: <5A0B04327C334DA18745BFDBDBECE055@charlieroot.de> <98689EFE59404E4B838E79071AABA8B4@charlieroot.de> <56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 18:51:18 -0000 On Tue, Feb 08, 2011 at 08:07:52PM -0500, Vadym Chepkov wrote: > No idea, why it didn't stop after 9 attempts. The connection rate is not calculated precisely, from pf.conf(5) max-src-conn-rate / Limit the rate of new connections over a time interval. The con- nection rate is an approximation calculated as a moving average. There is a counter, and a last-update-time. When the first connection matches, the counter starts at zero, and the time (one second resolution) is noted. Whenever a subsequent connection matches, the following happens: 1) if the last-update-time is further back than (60, in your case), the counter is reset to zero. 2) otherwise, the counter is reduced relative to how much time has passed since last-update-time (i.e. the counter is multiplied by (now - last-update-time) / 3) the counter is incremented by 1000 When the counter exceeds 1000 * (9, in your case), the max-src-conn-rate is triggered. This works reasonably well in many cases, but may be quite inprecise, especially when is much smaller than . You could try max-src-conn-rate 2/5 instead. The details can be found in pf.c, see http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c?rev=HEAD The reason this was chosen over a more precise algorithm is that this is very cheap CPU-wise and requires only a minimal amount of memory. Regards, Daniel