pf and max-src-conn-rate
Sergey V. Dyatko
sergey.dyatko at gmail.com
Tue Nov 17 11:02:02 UTC 2009
on Tue, 17 Nov 2009 12:48:04 +0200
"Sergey V. Dyatko" <Sergey.Dyatko at gmail.com> wrote:
Ooops, sorry for the noice. I didn't seen that is only 1 connect
SVD> Hi list,
SVD> I'm trying to stop ssh bruteforce on my box (rules bellow), but it
SVD> doesn't work. looks like 1sec interval is too small:(
SVD>
SVD> from auth.log:
SVD> ...
SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Invalid user cobert from
SVD> 200.27.164.214
SVD> Nov 17 13:32:14 master-db6 sshd[3902]: error: PAM: authentication
SVD> error for illegal user cobert from server.aconex.cl
SVD> Nov 17 13:32:14 master-db6 sshd[3902]: Failed
SVD> keyboard-interactive/pam for invalid user cobert from
SVD> 200.27.164.214 port 57587 ssh2 ...
SVD> Nov 17 13:40:17 master-db6 sshd[3961]: error: PAM: authentication
SVD> error for illegal user colman from 80.243.172.54
SVD> Nov 17 13:40:17 master-db6 sshd[3961]: Failed
SVD> keyboard-interactive/pam for invalid user colman from
SVD> 80.243.172.54 port 45081 ssh2 ...
SVD>
SVD> As you can see I got 2 connections from 1 ip in 1 second but...
SVD>
SVD> #pfctl -tbots -Tshow|wc -l
SVD> 0
SVD>
SVD> where i'm wrong?
SVD> pf.conf:
SVD>
SVD> ext_if="em0"
SVD>
SVD> table <trusted_hosts> { my_net/24, some_ip/32}
SVD> table <bots> persist
SVD>
SVD> scrub in all
SVD>
SVD> pass in quick on $ext_if proto tcp from <trusted_hosts>
SVD> block in quick from <bots>
SVD>
SVD> pass in quick on $ext_if proto tcp to $ext_if port ssh \
SVD> flags S/SA keep state \
SVD> ( max-src-conn-rate 2/1 overload <bots> flush )
SVD>
SVD> pass in all
SVD> pass out all
SVD>
SVD>
--
wbr, tiger
More information about the freebsd-pf
mailing list