Thousands of ssh probes
John
john at starfire.mn.org
Fri Mar 5 17:02:55 UTC 2010
On Fri, Mar 05, 2010 at 05:54:50PM +0100, Matthias Fechner wrote:
> Hi,
>
> Am 05.03.10 17:01, schrieb Matthew Seaman:
> >table <ssh-bruteforce> persist
> >[...near the top of the rules section...]
> >block drop in log quick on $ext_if from<ssh-bruteforce>
> >
> >[...later in the rules section...]
> >pass in on $ext_if proto tcp \
> > from any to $ext_if port ssh \
> > flags S/SA keep state \
> > (max-src-conn-rate 3/30, overload<ssh-bruteforce> flush global)
> >
>
> that is dangarous, if you use subversion over ssh you will sometimes get
> more then 10 requests in 30 seconds.
> That means you will also block users they are allowed to connect.
OK - that's good to know - but I'm not using subversion at this
time, and this is working nicely so far. I've already picked off
one hacker.
# pfctl -t ssh-bruteforce -T show
No ALTQ support in kernel
ALTQ related functions disabled
218.56.61.114
Mar 5 10:40:05 elwood sshd[18452]: Invalid user test from 218.56.61.114
Mar 5 10:40:10 elwood sshd[18457]: Invalid user admin from 218.56.61.114
Apparently got him on the third attempt, just as advertised.
--
John Lind
john at starfire.MN.ORG
The inherent vice of capitalism is the unequal sharing of blessings;
the inherent virtue of socialism is the equal sharing of miseries.
- Winston Churchill
More information about the freebsd-questions
mailing list