Thousands of ssh probes
John
john at starfire.mn.org
Fri Mar 5 17:11:52 UTC 2010
On Fri, Mar 05, 2010 at 05:04:03PM +0000, Matthew Seaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/03/2010 16:54:50, Matthias Fechner wrote:
> > Hi,
> >
> > Am 05.03.10 17:01, schrieb Matthew Seaman:
> >> table <ssh-bruteforce> persist
> >> [...near the top of the rules section...]
> >> block drop in log quick on $ext_if from<ssh-bruteforce>
> >>
> >> [...later in the rules section...]
> >> pass in on $ext_if proto tcp \
> >> from any to $ext_if port ssh \
> >> flags S/SA keep state \
> >> (max-src-conn-rate 3/30, overload<ssh-bruteforce> flush global)
> >>
> >
> > that is dangarous, if you use subversion over ssh you will sometimes get
> > more then 10 requests in 30 seconds.
> > That means you will also block users they are allowed to connect.
>
> Yes. Almost all of the time I use this I've also had a ssh-whitelist
> table -- addresses that will never be blocked in this way. Like this:
>
> table <ssh-bruteforce> persist
> table <ssh-whitelist> const { \
> 81.187.76.160/29 \
> 2001:8b0:151:1::/64 \
> } persist
>
> block drop in log quick on $ext_if from <ssh-bruteforce>
>
> pass in on $ext_if proto tcp \
> from <ssh-whitelist> to $ext_if port ssh \
> flags S/SA keep state
>
> pass in on $ext_if proto tcp \
> from !<ssh-whitelist> to $ext_if port ssh \
> flags S/SA keep state \
> (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
>
Ah. I see. That's clever. Rather than "overriding" the bruteforce
list, which would require getting rid of "quick", you use whitelist
to prevent things from ever going into the bruteforce table.
Nice!
I have just switched to pf from ipfw, so I am still learning the
nuances and style points.
--
John Lind
john at starfire.MN.ORG
More information about the freebsd-questions
mailing list