Limit connections doens't work
Nico De Dobbeleer
nico at elico-it.be
Sat Dec 5 14:09:59 UTC 2009
Hello,
As most of the public ip's my servers are constantly under bruteforce attack see example:
Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2
Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226
Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2
Dec 5 13:56:41 hosting sshd[18625]: Invalid user support from 173.10.126.226
Dec 5 13:56:43 hosting sshd[18625]: Failed password for invalid user support from 173.10.126.226 port 48676 ssh2
Dec 5 13:56:47 hosting sshd[18627]: Invalid user jnanchito from 173.10.126.226
Dec 5 13:56:50 hosting sshd[18627]: Failed password for invalid user jnanchito from 173.10.126.226 port 49122 ssh2
Dec 5 13:56:51 hosting sshd[18629]: Invalid user rtorres from 173.10.126.226
Dec 5 13:56:53 hosting sshd[18629]: Failed password for invalid user rtorres from 173.10.126.226 port 49872 ssh2
Dec 5 13:56:55 hosting sshd[18631]: Invalid user jatema from 173.10.126.226
Dec 5 13:56:57 hosting sshd[18631]: Failed password for invalid user jatema from 173.10.126.226 port 50293 ssh2
Dec 5 13:57:01 hosting sshd[18633]: Failed password for invalid user root from 173.10.126.226 port 50702 ssh2
Dec 5 13:57:04 hosting sshd[18635]: Failed password for invalid user root from 173.10.126.226 port 51154 ssh2
Dec 5 13:57:06 hosting sshd[18637]: Invalid user boss from 173.10.126.226
Dec 5 13:57:08 hosting sshd[18637]: Failed password for invalid user boss from 173.10.126.226 port 51507 ssh2
Dec 5 13:57:09 hosting sshd[18639]: Invalid user sasha from 173.10.126.226
Dec 5 13:57:11 hosting sshd[18639]: Failed password for invalid user sasha from 173.10.126.226 port 51929 ssh2
Dec 5 13:57:13 hosting sshd[18641]: Invalid user vic from 173.10.126.226
Dec 5 13:57:14 hosting sshd[18641]: Failed password for invalid user vic from 173.10.126.226 port 52321 ssh2
Dec 5 13:57:16 hosting sshd[18643]: Invalid user ranjith from 173.10.126.226
Dec 5 13:57:18 hosting sshd[18643]: Failed password for invalid user ranjith from 173.10.126.226 port 52650 ssh2
Dec 5 13:57:21 hosting sshd[18645]: Failed password for invalid user root from 173.10.126.226 port 53087 ssh2
Dec 5 13:57:25 hosting sshd[18647]: Failed password for invalid user root from 173.10.126.226 port 53447 ssh2
Dec 5 13:57:29 hosting sshd[18649]: Failed password for invalid user root from 173.10.126.226 port 53852 ssh2
Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that.
------------------------------------------------------------------------------------------------------------------
#Tables
table <abusive_ips> persist file "/etc/pf.abusive_ips.block.list"
table <brute> persist
# Rules
block quick from <abusive_ips>
block quick from <brute>
# Limit connections per IP
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush)
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)
--------------------------------------------------------------------------------------------------------------------
The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the <brute> table.
Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15?
With kind regards,
Nico De Dobbeleer
More information about the freebsd-pf
mailing list