SSH Brute Force attempts
Pierre Riteau
pierre.riteau at gmail.com
Tue Sep 30 15:28:57 UTC 2008
On Tue, Sep 30, 2008 at 04:01:26PM +0200, Oliver Fromme wrote:
> Ollivier Robert <> wrote:
> > According to Henrik Hudson:
> > > Yeap, -security
> > >
> > > However, also try this in pf.conf (specific rules related to this; you'll need
> > > more for a real pf.conf):
> > >
> > > table <badguys> { } persist
> > > block in quick from <badguys>
> > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state
> > > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
> >
> > That one is very effective.
>
> It's especially effective to enable to DoS you.
> An attacker simply has to spoof the source address
> on SYN packets, which is trivial. :-(
This is not true. pf.conf(5) says:
For stateful TCP connections, limits on established connections (connec-
tions which have completed the TCP 3-way handshake) can also be enforced
per source IP.
max-src-conn <number>
Limits the maximum number of simultaneous TCP connections which
have completed the 3-way handshake that a single host can make.
max-src-conn-rate <number> / <seconds>
Limit the rate of new connections over a time interval. The con-
nection rate is an approximation calculated as a moving average.
Because the 3-way handshake ensures that the source address is not being
spoofed, more aggressive action can be taken based on these limits.
More information about the freebsd-hackers
mailing list