Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 30 Sep 2008 16:01:26 +0200 (CEST)
From:      Oliver Fromme <olli@lurza.secnetix.de>
To:        freebsd-hackers@FreeBSD.ORG, roberto@keltia.freenix.fr
Subject:   Re: SSH Brute Force attempts
Message-ID:  <200809301401.m8UE1QDm039930@lurza.secnetix.de>
In-Reply-To: <20080930081637.GA34744@keltia.freenix.fr>

next in thread | previous in thread | raw e-mail | index | archive | help
Ollivier Robert <> wrote:
 > According to Henrik Hudson:
 > > Yeap, -security
 > > 
 > > However, also try this in pf.conf (specific rules related to this; you'll need 
 > > more for a real pf.conf):
 > > 
 > > table <badguys> { } persist
 > > block in quick from <badguys>
 > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state 
 > > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
 > 
 > That one is very effective.

It's especially effective to enable to DoS you.
An attacker simply has to spoof the source address
on SYN packets, which is trivial.  :-(

It is marginally better to use one of those tools
that parse the logs for failed ssh logins, and use
that information to block addresses.  In order to
abuse that, and attacker would have to spoof a full
TCP connection setup plus initial SSH conversation,
which is far from trivial.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"Perl will consistently give you what you want,
unless what you want is consistency."
        -- Larry Wall



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809301401.m8UE1QDm039930>