Date: Tue, 30 Sep 2008 17:37:38 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-hackers@FreeBSD.ORG, pierre.riteau@gmail.com, roberto@keltia.freenix.fr Subject: Re: SSH Brute Force attempts Message-ID: <200809301537.m8UFbcrt044684@lurza.secnetix.de> In-Reply-To: <20080930151550.GA20490@omicron.my.domain>
next in thread | previous in thread | raw e-mail | index | archive | help
Pierre Riteau wrote: > Oliver Fromme wrote: > > Ollivier Robert wrote: > > > According to Henrik Hudson: > > > > Yeap, -security > > > > > > > > However, also try this in pf.conf (specific rules related to this; you'll need > > > > more for a real pf.conf): > > > > > > > > table <badguys> { } persist > > > > block in quick from <badguys> > > > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state > > > > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global) > > > > > > That one is very effective. > > > > It's especially effective to enable to DoS you. > > An attacker simply has to spoof the source address > > on SYN packets, which is trivial. :-( > > This is not true. pf.conf(5) says: > > For stateful TCP connections, limits on established connections (connec- > tions which have completed the TCP 3-way handshake) can also be enforced > per source IP. Thanks for the correction. I prefer IPFW most of the time, therefore I wasn't aware of this detail. > Because the 3-way handshake ensures that the source address is not being > spoofed, more aggressive action can be taken based on these limits. s/not being spoofed/more difficult to spoofe/ ;-) Still, detecting the break-in attempts on application layer (e.g. auth log file) is better than on TCP layer. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "It combines all the worst aspects of C and Lisp: a billion different sublanguages in one monolithic executable. It combines the power of C with the readability of PostScript." -- Jamie Zawinski, when asked: "What's wrong with perl?"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809301537.m8UFbcrt044684>