Date: Wed, 14 May 2008 16:10:21 +0100 (BST) From: "Reinhold" <freebsd@violetlan.net> To: "Jon Radel" <jon@radel.com>, freebsd-pf@freebsd.org Subject: Re: a few problems with pf Message-ID: <58644.217.41.34.61.1210777821.squirrel@www.violetlan.net> In-Reply-To: <482AEE64.8020209@radel.com> References: <63902.217.41.34.61.1210768578.squirrel@www.violetlan.net> <482AEE64.8020209@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 14, 2008 14:51, Jon Radel wrote: > Reinhold wrote: > > >> >> What I've also noticed is that in pf I have this rule >> pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp >> from any to { 192.168.1.2 } port = 22 keep state (max 1024, max-src-conn >> 15, >> max-src-conn-rate 2/1, overload <bruteforce> flush global) >> >> When I'm getting the bad header thingy this rule doesn't work properly. >> It >> let all the traffic trough but it never blocks the bad guys. > > Which bad guys are you expecting to block? I just checked a couple > day's worth of logs and the fastest rate at which somebody was trying to > brute force my ssh server was 1 attempt every 2 seconds. Your rule won't > trigger until 2 attempts every 1 second or faster, and I don't think those > other limits are likely to get triggered either unless you see a lot more > "bad guys" than I do on random addresses. I find that > max-src-conn-rate 3/10 tends to cut off the more energetic ones. > > --Jon Radel > > I have almost the same rule on one of my 6.3 systems with 2/1 set and yesterday it cough 6 bad guys and today 2. I've made the change as you recommended. I actually was looking at a ssh attempt earlier this week and it was connecting at about 3 to 4 per second.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58644.217.41.34.61.1210777821.squirrel>