pf and max-src-conn-rate
Sergey V. Dyatko
sergey.dyatko at gmail.com
Tue Nov 17 11:10:03 UTC 2009
Hi list,
I'm trying to stop ssh bruteforce on my box (rules bellow), but it
doesn't work. looks like 1sec interval is too small:(
from auth.log:
...
Nov 17 13:32:14 master-db6 sshd[3902]: Invalid user cobert from
200.27.164.214
Nov 17 13:32:14 master-db6 sshd[3902]: error: PAM: authentication error
for illegal user cobert from server.aconex.cl
Nov 17 13:32:14 master-db6 sshd[3902]: Failed keyboard-interactive/pam
for invalid user cobert from 200.27.164.214 port 57587 ssh2
...
Nov 17 13:40:17 master-db6 sshd[3961]: error: PAM: authentication error
for illegal user colman from 80.243.172.54
Nov 17 13:40:17 master-db6 sshd[3961]: Failed keyboard-interactive/pam
for invalid user colman from 80.243.172.54 port 45081 ssh2
...
As you can see I got 2 connections from 1 ip in 1 second but...
#pfctl -tbots -Tshow|wc -l
0
where i'm wrong?
pf.conf:
ext_if="em0"
table <trusted_hosts> { my_net/24, some_ip/32}
table <bots> persist
scrub in all
pass in quick on $ext_if proto tcp from <trusted_hosts>
block in quick from <bots>
pass in quick on $ext_if proto tcp to $ext_if port ssh \
flags S/SA keep state \
( max-src-conn-rate 2/1 overload <bots> flush )
pass in all
pass out all
--
wbr, tiger
More information about the freebsd-pf
mailing list