Thousands of ssh probes

Fri Mar 5 17:11:52 UTC 2010

On Fri, Mar 05, 2010 at 05:04:03PM +0000, Matthew Seaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 05/03/2010 16:54:50, Matthias Fechner wrote:
> > Hi,
> > 
> > Am 05.03.10 17:01, schrieb Matthew Seaman:
> >> table <ssh-bruteforce> persist
> >> [...near the top of the rules section...]
> >> block drop in log quick on $ext_if from<ssh-bruteforce>
> >>
> >> [...later in the rules section...]
> >> pass in on $ext_if proto tcp      \
> >>       from any to $ext_if port ssh \
> >>       flags S/SA keep state        \
> >>       (max-src-conn-rate 3/30, overload<ssh-bruteforce>  flush global)
> >>    
> > 
> > that is dangarous, if you use subversion over ssh you will sometimes get
> > more then 10 requests in 30 seconds.
> > That means you will also block users they are allowed to connect.
> 
> Yes.  Almost all of the time I use this I've also had a ssh-whitelist
> table -- addresses that will never be blocked in this way.  Like this:
> 
> table <ssh-bruteforce> persist
> table <ssh-whitelist> const { \
>     81.187.76.160/29          \
>     2001:8b0:151:1::/64       \
> } persist
> 
> block drop in log quick on $ext_if from <ssh-bruteforce>
> 
> pass in on $ext_if proto tcp                 \
>     from <ssh-whitelist> to $ext_if port ssh \
>     flags S/SA keep state
> 
> pass in on $ext_if proto tcp                  \
>     from !<ssh-whitelist> to $ext_if port ssh \
>     flags S/SA keep state                     \
>     (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
> 

Ah.  I see.  That's clever.  Rather than "overriding" the bruteforce
list, which would require getting rid of "quick", you use whitelist
to prevent things from ever going into the bruteforce table.

Nice!

I have just switched to pf from ipfw, so I am still learning the
nuances and style points.
-- 

John Lind
john at starfire.MN.ORG