Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Feb 2011 13:11:00 -0500
From:      Vadym Chepkov <vchepkov@gmail.com>
To:        freebsd-pf@FreeBSD.org
Subject:   brutal SSH attacks
Message-ID:  <D04005BA-E154-4AE3-B14B-F9E6EF1269B0@gmail.com>
next in thread | raw e-mail | index | archive | help 
Hi,

Could somebody help in figuring out why PF configuration meant to =
prevent brutal SSH attacks doesn't work.

Here are the relevant parts:

/etc/ssh/sshd_config

PasswordAuthentication no
MaxAuthTries 1

/etc/pf.conf

block in log on $wan_if

table <abusive_hosts> persist
block drop in quick from <abusive_hosts>

pass quick proto tcp to $wan_if port ssh keep state \
(max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush =
global)

I would expect if somebody tried to make more then 9 connections a =
minute would have been blocked.

But it's not the case:

Feb  7 19:20:03 castor sshd[21416]: Invalid user peyton from =
113.185.0.16
Feb  7 19:20:06 castor sshd[21418]: Invalid user lindsey from =
113.185.0.16
Feb  7 19:20:10 castor sshd[21420]: Invalid user ashlyn from =
113.185.0.16
Feb  7 19:20:13 castor sshd[21422]: Invalid user carly from 113.185.0.16
Feb  7 19:20:17 castor sshd[21424]: Invalid user marissa from =
113.185.0.16
Feb  7 19:20:20 castor sshd[21426]: Invalid user gracie from =
113.185.0.16
Feb  7 19:20:24 castor sshd[21428]: Invalid user sierra from =
113.185.0.16
Feb  7 19:20:27 castor sshd[21430]: Invalid user lillian from =
113.185.0.16
Feb  7 19:20:31 castor sshd[21432]: Invalid user jillian from =
113.185.0.16
Feb  7 19:20:34 castor sshd[21434]: Invalid user reagan from =
113.185.0.16
Feb  7 19:20:37 castor sshd[21436]: Invalid user shelby from =
113.185.0.16
Feb  7 19:20:41 castor sshd[21438]: Invalid user amelia from =
113.185.0.16
Feb  7 19:20:44 castor sshd[21442]: Invalid user jada from 113.185.0.16
Feb  7 19:20:48 castor sshd[21444]: Invalid user kendall from =
113.185.0.16
Feb  7 19:20:51 castor sshd[21446]: Invalid user courtney from =
113.185.0.16
Feb  7 19:20:54 castor sshd[21448]: Invalid user brooklyn from =
113.185.0.16
Feb  7 19:20:58 castor sshd[21450]: Invalid user autumn from =
113.185.0.16
Feb  7 19:21:01 castor sshd[21452]: Invalid user mary from 113.185.0.16

What did I miss?

Thank you,
Vadym

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D04005BA-E154-4AE3-B14B-F9E6EF1269B0>