From owner-freebsd-pf@FreeBSD.ORG Wed Feb 9 21:00:45 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2CD00106564A for ; Wed, 9 Feb 2011 21:00:45 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id D03558FC0C for ; Wed, 9 Feb 2011 21:00:44 +0000 (UTC) Received: by qwj9 with SMTP id 9so470197qwj.13 for ; Wed, 09 Feb 2011 13:00:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=q2p/pt1AJqvqluD9UePypTy2dnH/UYBisDcmemJf3KY=; b=eDM/NrrxvqWgsQVDbLmzr47LXC2di0YIvpuTGnkB0tNxpJop4II8xG6KB8AREwQOmN JjcEToZdHrfi+grsXitSbgTPOesUGvhbtAGp0ODv6+Oh88mY3wjOeC43bltFfI06jaw+ RQ1SYe6X2JcqquS8gyRbeHAFugjnlJGp7F5PM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=G9JQMJeDzkz3VdFZdhIQBP7s45mpdT+SkZxeNHadl56ilwx91/zd1p+SSWLkgxWEX6 FSYAWn8A+QfnSPru+04VjXvxyjSTjZlo0OPjT9fzZNMXTBgstdlmH5JT83GJIepCMrLd Xd7j16mqmiqjtKD03hfHTwHERBbsz8Or7XnF8= Received: by 10.229.84.137 with SMTP id j9mr15308049qcl.214.1297285243725; Wed, 09 Feb 2011 13:00:43 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-173-71-213-51.clppva.fios.verizon.net [173.71.213.51]) by mx.google.com with ESMTPS id l12sm449489qcu.31.2011.02.09.13.00.42 (version=SSLv3 cipher=RC4-MD5); Wed, 09 Feb 2011 13:00:43 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Vadym Chepkov In-Reply-To: <4D5265AF.4060600@my.gd> Date: Wed, 9 Feb 2011 16:00:42 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D51A061.20704@sentex.net> <4D5265AF.4060600@my.gd> To: Damien Fleuriot X-Mailer: Apple Mail (2.1082) Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Feb 2011 21:00:45 -0000 On Feb 9, 2011, at 5:00 AM, Damien Fleuriot wrote: > Looks like my previous message didn't make it to the list. >=20 >=20 > @OP: nothing indicates that your table is getting populated correctly. >=20 > While this doesn't address your main issue, you may want to install > sshguard which will automatically blacklist attackers and populate a > dedicated table. >=20 Thanks for the suggestion, but as you said, it's a workaround.=20 I'd rather try to understand why something that suppose to work, does = not. Because this is something I have visibility to. What if something else = doesn't work as expected and I blindly trust it?=20 Vadym >=20 > On 2/8/11 11:06 PM, Vadym Chepkov wrote: >>=20 >> On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote: >>=20 >>> On 2/8/2011 1:11 PM, Vadym Chepkov wrote: >>>> Hi, >>>>=20 >>>> Could somebody help in figuring out why PF configuration meant to = prevent brutal SSH attacks doesn't work. >>>>=20 >>>> Here are the relevant parts: >>>>=20 >>>> /etc/ssh/sshd_config >>>>=20 >>>> PasswordAuthentication no >>>> MaxAuthTries 1 >>>>=20 >>>> /etc/pf.conf >>>>=20 >>>> block in log on $wan_if >>>>=20 >>>> table persist >>>> block drop in quick from >>>>=20 >>>> pass quick proto tcp to $wan_if port ssh keep state \ >>>> (max-src-conn 10, max-src-conn-rate 9/60, overload = flush global) >>>=20 >>>=20 >>> On RELENG_7 and 8 I use something like that. Is there a different = IP >>> they might be connecting to that is not covered under $wan_if? >>>=20 >>=20 >> That would mean this rule doesn't work: >>=20 >> block in log on $wan_if >>=20 >>=20 >>>=20 >>>=20 >>> table persist >>> table {xx.yy.zz.aa} >>>=20 >>>=20 >>>=20 >>> block log all >>> block in log quick proto tcp from to any port 22 >>> pass in log quick proto tcp from {!} to self port ssh \ >>> flags S/SA keep state \ >>> (max-src-conn 6, max-src-conn-rate 3/30, \ >>> overload flush global) >>> pass in log inet proto tcp from to self port ssh keep = state >>>=20 >>=20 >> I don't have "trusted" outside IPs, other then that your config seems = the same, except mine suppose to be more strict - just one IP instead of = "self". >> By the way, wouldn't using "self" allow incoming packets to = 127.0.0.1? >>=20 >> Vadym >>=20 >>=20 >>>=20 >>>=20 >>> ---Mike >>>=20 >>>=20 >>> --=20 >>> ------------------- >>> Mike Tancsa, tel +1 519 651 3400 >>> Sentex Communications, mike@sentex.net >>> Providing Internet services since 1994 www.sentex.net >>> Cambridge, Ontario Canada http://www.tancsa.com/ >>=20 >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"