SSH Brute Force attempts
Oliver Fromme
olli at lurza.secnetix.de
Tue Sep 30 15:37:42 UTC 2008
Pierre Riteau wrote:
> Oliver Fromme wrote:
> > Ollivier Robert wrote:
> > > According to Henrik Hudson:
> > > > Yeap, -security
> > > >
> > > > However, also try this in pf.conf (specific rules related to this; you'll need
> > > > more for a real pf.conf):
> > > >
> > > > table <badguys> { } persist
> > > > block in quick from <badguys>
> > > > pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state
> > > > (max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global)
> > >
> > > That one is very effective.
> >
> > It's especially effective to enable to DoS you.
> > An attacker simply has to spoof the source address
> > on SYN packets, which is trivial. :-(
>
> This is not true. pf.conf(5) says:
>
> For stateful TCP connections, limits on established connections (connec-
> tions which have completed the TCP 3-way handshake) can also be enforced
> per source IP.
Thanks for the correction. I prefer IPFW most of the time,
therefore I wasn't aware of this detail.
> Because the 3-way handshake ensures that the source address is not being
> spoofed, more aggressive action can be taken based on these limits.
s/not being spoofed/more difficult to spoofe/ ;-)
Still, detecting the break-in attempts on application layer
(e.g. auth log file) is better than on TCP layer.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"It combines all the worst aspects of C and Lisp: a billion different
sublanguages in one monolithic executable. It combines the power of C
with the readability of PostScript."
-- Jamie Zawinski, when asked: "What's wrong with perl?"
More information about the freebsd-hackers
mailing list