From owner-freebsd-pf@FreeBSD.ORG  Thu Feb 10 07:53:01 2011
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 085F41065670
	for <freebsd-pf@freebsd.org>; Thu, 10 Feb 2011 07:53:01 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch
	[213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 7AA2B8FC20
	for <freebsd-pf@freebsd.org>; Thu, 10 Feb 2011 07:52:59 +0000 (UTC)
Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1])
	by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p1A7qwvZ029563
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Thu, 10 Feb 2011 08:52:58 +0100 (MET)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p1A7qw23030394;
	Thu, 10 Feb 2011 08:52:58 +0100 (MET)
Date: Thu, 10 Feb 2011 08:52:58 +0100
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Vadym Chepkov <vchepkov@gmail.com>
Message-ID: <20110210075258.GB16942@insomnia.benzedrine.cx>
References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
	<5A0B04327C334DA18745BFDBDBECE055@charlieroot.de>
	<A6E48F78-AC10-40DE-9345-86D14CC4D3A1@gmail.com>
	<98689EFE59404E4B838E79071AABA8B4@charlieroot.de>
	<56413CA2-EE4F-4E06-B044-0982E864E44D@gmail.com>
	<A141DF22-E35C-46BD-B88B-D68800812359@gmail.com>
	<20110209185118.GA16942@insomnia.benzedrine.cx>
	<FB3E9540-742A-4783-9813-B7DBCD515C7E@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <FB3E9540-742A-4783-9813-B7DBCD515C7E@gmail.com>
User-Agent: Mutt/1.5.12-2006-07-14
Cc: freebsd-pf@freebsd.org
Subject: Re: brutal SSH attacks
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Feb 2011 07:53:01 -0000

On Wed, Feb 09, 2011 at 03:55:42PM -0500, Vadym Chepkov wrote:

> Feb  8 11:27:01 castor sshd[57304]: Invalid user ariane from 113.185.0.16

count = 1000, last = 01

> Feb  8 11:27:04 castor sshd[57306]: Invalid user armand from 113.185.0.16

diff = 3, count -= 1000 * 3 / 60, += 1000, count = 1950, last = 04

> Feb  8 11:27:08 castor sshd[57308]: Invalid user armande from 113.185.0.16

diff = 4, count -= 1950 * 4 / 60, += 1000, count = 2820, last = 08

> Feb  8 11:27:11 castor sshd[57310]: Invalid user armando from 113.185.0.16

diff = 3, count -= 2820 * 3 / 60, += 1000, count = 3679, last = 11

> Feb  8 11:27:15 castor sshd[57312]: Invalid user armani from 113.185.0.16

diff = 4, count -= 3679 * 4 / 60, += 1000, count = 4434, last = 15

> Feb  8 11:27:18 castor sshd[57314]: Invalid user arnie from 113.185.0.16

diff = 3, count -= 4434 * 3 / 60, += 1000, count = 5213, last = 18

> Feb  8 11:27:22 castor sshd[57316]: Invalid user arne from 113.185.0.16

diff = 4, count -= 5213 * 4 / 60, += 1000, count = 5866, last = 22

> Feb  8 11:27:25 castor sshd[57318]: Invalid user arnold from 113.185.0.16

diff = 3, count -= 5866 * 3 / 60, += 1000, count = 6573, last = 25

> Feb  8 11:27:29 castor sshd[57320]: Invalid user art from 113.185.0.16

diff = 4, count -= 6573 * 4 / 60, += 1000, count = 7135, last = 29

> Feb  8 11:27:33 castor sshd[57322]: Invalid user arthur from 113.185.0.16

diff = 4, count -= 7135 * 4 / 60, += 1000, count = 7660, last = 33

> Feb  8 11:27:36 castor sshd[57324]: Invalid user artie from 113.185.0.16

diff = 3, count -= 7660 * 3 / 60, += 1000, count = 8277, last = 36

> Feb  8 11:27:47 castor sshd[57326]: Invalid user arty from 113.185.0.16

diff = 11, count -= 8277 * 11 / 60, += 1000, count = 7710, last = 47

(this 11 second pause is reducing the rate estimation significantly,
if the scanner hadn't paused so long, it would have triggered)

> Feb  8 11:27:50 castor sshd[57328]: Invalid user asha from 113.185.0.16

diff = 3, count -= 7710 * 3 / 60, += 1000, count = 8325, last = 50

> Feb  8 11:27:54 castor sshd[57330]: Invalid user asher from 113.185.0.16

diff = 4, count -= 8325 * 4 / 60, += 1000, count = 8770, last = 54

> Feb  8 11:27:57 castor sshd[57332]: Invalid user ashley from 113.185.0.16

diff = 3, count -= 8770 * 3 / 60, += 1000, count = 9332, last = 57

Now count is larger than your limit 9000, and the threshold is
triggered, after 15 connections (the 16th is probably due to syslog
not showing the precise timestamps).

You can re-calculate the steps with 30 <seconds> (instead of 60),
and see how it triggers...

Daniel