a few problems with pf
Reinhold
freebsd at violetlan.net
Wed May 14 15:15:46 UTC 2008
On Wed, May 14, 2008 14:51, Jon Radel wrote:
> Reinhold wrote:
>
>
>>
>> What I've also noticed is that in pf I have this rule
>> pass in log quick on $ext_if1 reply-to ($ext_if1 $ext_gw1) proto tcp
>> from any to { 192.168.1.2 } port = 22 keep state (max 1024, max-src-conn
>> 15,
>> max-src-conn-rate 2/1, overload <bruteforce> flush global)
>>
>> When I'm getting the bad header thingy this rule doesn't work properly.
>> It
>> let all the traffic trough but it never blocks the bad guys.
>
> Which bad guys are you expecting to block? I just checked a couple
> day's worth of logs and the fastest rate at which somebody was trying to
> brute force my ssh server was 1 attempt every 2 seconds. Your rule won't
> trigger until 2 attempts every 1 second or faster, and I don't think those
> other limits are likely to get triggered either unless you see a lot more
> "bad guys" than I do on random addresses. I find that
> max-src-conn-rate 3/10 tends to cut off the more energetic ones.
>
> --Jon Radel
>
>
I have almost the same rule on one of my 6.3 systems with 2/1 set and
yesterday it cough 6 bad guys and today 2.
I've made the change as you recommended. I actually was looking at a ssh
attempt earlier this week and it was connecting at about 3 to 4 per
second.
More information about the freebsd-pf
mailing list