Date: Wed, 9 Feb 2011 16:00:42 -0500 From: Vadym Chepkov <vchepkov@gmail.com> To: Damien Fleuriot <ml@my.gd> Cc: freebsd-pf@freebsd.org Subject: Re: brutal SSH attacks Message-ID: <A52E3BB1-E89C-472E-8200-07DFA9E2DE53@gmail.com> In-Reply-To: <4D5265AF.4060600@my.gd> References: <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com> <4D51A061.20704@sentex.net> <FFC11535-7638-4FE7-84EC-EED8D9A443BA@gmail.com> <4D5265AF.4060600@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 9, 2011, at 5:00 AM, Damien Fleuriot wrote:
> Looks like my previous message didn't make it to the list.
>=20
>=20
> @OP: nothing indicates that your table is getting populated correctly.
>=20
> While this doesn't address your main issue, you may want to install
> sshguard which will automatically blacklist attackers and populate a
> dedicated table.
>=20
Thanks for the suggestion, but as you said, it's a workaround.=20
I'd rather try to understand why something that suppose to work, does =
not.
Because this is something I have visibility to. What if something else =
doesn't work as expected and I blindly trust it?=20
Vadym
>=20
> On 2/8/11 11:06 PM, Vadym Chepkov wrote:
>>=20
>> On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote:
>>=20
>>> On 2/8/2011 1:11 PM, Vadym Chepkov wrote:
>>>> Hi,
>>>>=20
>>>> Could somebody help in figuring out why PF configuration meant to =
prevent brutal SSH attacks doesn't work.
>>>>=20
>>>> Here are the relevant parts:
>>>>=20
>>>> /etc/ssh/sshd_config
>>>>=20
>>>> PasswordAuthentication no
>>>> MaxAuthTries 1
>>>>=20
>>>> /etc/pf.conf
>>>>=20
>>>> block in log on $wan_if
>>>>=20
>>>> table <abusive_hosts> persist
>>>> block drop in quick from <abusive_hosts>
>>>>=20
>>>> pass quick proto tcp to $wan_if port ssh keep state \
>>>> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> =
flush global)
>>>=20
>>>=20
>>> On RELENG_7 and 8 I use something like that. Is there a different =
IP
>>> they might be connecting to that is not covered under $wan_if?
>>>=20
>>=20
>> That would mean this rule doesn't work:
>>=20
>> block in log on $wan_if
>>=20
>>=20
>>>=20
>>>=20
>>> table <bruteforce> persist
>>> table <SSHTRUSTED> {xx.yy.zz.aa}
>>>=20
>>>=20
>>>=20
>>> block log all
>>> block in log quick proto tcp from <bruteforce> to any port 22
>>> pass in log quick proto tcp from {!<SSHTRUSTED>} to self port ssh \
>>> flags S/SA keep state \
>>> (max-src-conn 6, max-src-conn-rate 3/30, \
>>> overload <bruteforce> flush global)
>>> pass in log inet proto tcp from <SSHTRUSTED> to self port ssh keep =
state
>>>=20
>>=20
>> I don't have "trusted" outside IPs, other then that your config seems =
the same, except mine suppose to be more strict - just one IP instead of =
"self".
>> By the way, wouldn't using "self" allow incoming packets to =
127.0.0.1?
>>=20
>> Vadym
>>=20
>>=20
>>>=20
>>>=20
>>> ---Mike
>>>=20
>>>=20
>>> --=20
>>> -------------------
>>> Mike Tancsa, tel +1 519 651 3400
>>> Sentex Communications, mike@sentex.net
>>> Providing Internet services since 1994 www.sentex.net
>>> Cambridge, Ontario Canada http://www.tancsa.com/
>>=20
>> _______________________________________________
>> freebsd-pf@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A52E3BB1-E89C-472E-8200-07DFA9E2DE53>