Limit connections doens't work

Sun Dec 6 09:19:14 UTC 2009

--- Original Message ---  
From: Nico De Dobbeleer <nico at elico-it.be>  
To: freebsd-pf at freebsd.org  
Date: 5 december, 16:09:52  
Subject: Limit connections doens't work  

  Hello,  

As most of the public ip's my servers are constantly under bruteforce attack see example:  

Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2  
Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226  
Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2  
Dec 5 13:56:41 hosting sshd[18625]: Invalid user support from 173.10.126.226  
Dec 5 13:56:43 hosting sshd[18625]: Failed password for invalid user support from 173.10.126.226 port 48676 ssh2  
Dec 5 13:56:47 hosting sshd[18627]: Invalid user jnanchito from 173.10.126.226  
Dec 5 13:56:50 hosting sshd[18627]: Failed password for invalid user jnanchito from 173.10.126.226 port 49122 ssh2  
Dec 5 13:56:51 hosting sshd[18629]: Invalid user rtorres from 173.10.126.226  
Dec 5 13:56:53 hosting sshd[18629]: Failed password for invalid user rtorres from 173.10.126.226 port 49872 ssh2  
Dec 5 13:56:55 hosting sshd[18631]: Invalid user jatema from 173.10.126.226  
Dec 5 13:56:57 hosting sshd[18631]: Failed password for invalid user jatema from 173.10.126.226 port 50293 ssh2  
Dec 5 13:57:01 hosting sshd[18633]: Failed password for invalid user root from 173.10.126.226 port 50702 ssh2  
Dec 5 13:57:04 hosting sshd[18635]: Failed password for invalid user root from 173.10.126.226 port 51154 ssh2  
Dec 5 13:57:06 hosting sshd[18637]: Invalid user boss from 173.10.126.226  
Dec 5 13:57:08 hosting sshd[18637]: Failed password for invalid user boss from 173.10.126.226 port 51507 ssh2  
Dec 5 13:57:09 hosting sshd[18639]: Invalid user sasha from 173.10.126.226  
Dec 5 13:57:11 hosting sshd[18639]: Failed password for invalid user sasha from 173.10.126.226 port 51929 ssh2  
Dec 5 13:57:13 hosting sshd[18641]: Invalid user vic from 173.10.126.226  
Dec 5 13:57:14 hosting sshd[18641]: Failed password for invalid user vic from 173.10.126.226 port 52321 ssh2  
Dec 5 13:57:16 hosting sshd[18643]: Invalid user ranjith from 173.10.126.226  
Dec 5 13:57:18 hosting sshd[18643]: Failed password for invalid user ranjith from 173.10.126.226 port 52650 ssh2  
Dec 5 13:57:21 hosting sshd[18645]: Failed password for invalid user root from 173.10.126.226 port 53087 ssh2  
Dec 5 13:57:25 hosting sshd[18647]: Failed password for invalid user root from 173.10.126.226 port 53447 ssh2  
Dec 5 13:57:29 hosting sshd[18649]: Failed password for invalid user root from 173.10.126.226 port 53852 ssh2  

Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that.  
------------------------------------------------------------------------------------------------------------------  
#Tables  
table <abusive_ips> persist file "/etc/pf.abusive_ips.block.list"  
table <brute> persist  

# Rules  

block quick from <abusive_ips>  
block quick from <brute>  

# Limit connections per IP  

pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state  
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)  
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state  
(max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush)  
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state  
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)  
--------------------------------------------------------------------------------------------------------------------  

The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the <brute> table.  

Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15?  

With kind regards,  
Nico De Dobbeleer  

_______________________________________________  
freebsd-pf at freebsd.org mailing list  
http://lists.freebsd.org/mailman/listinfo/freebsd-pf  
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"    

    I think you should specify  

source-track rule (rule or lobal) in your rulesLike this:  

pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state  
(max 10, source-track rule, max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)  

See in PF FAQ  

Stateful Tracking Options.