brutal SSH attacks

Vadym Chepkov vchepkov at gmail.com
Tue Feb 8 23:02:52 UTC 2011 

On Feb 8, 2011, at 5:26 PM, Helmut Schneider wrote:

>> Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work.
> 
> Check your pflog. The ruleset itself seems fine (if it is complete and you did not forget to post a vital part). We also can assume that pf is enabled, can we? 

What should I be looking for in pflog? I can't find anything ssh related. I posted full ruleset too.


[root at castor ~]# service pf status
Status: Enabled for 74 days 00:20:02          Debug: Urgent

State Table                          Total             Rate
  current entries                       10               
  searches                        94773790           14.8/s
  inserts                           228426            0.0/s
  removals                          228416            0.0/s
Counters
  match                           93343976           14.6/s
  bad-offset                             0            0.0/s
  fragment                              11            0.0/s
  short                                  0            0.0/s
  normalize                              4            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                          40706            0.0/s
  proto-cksum                          354            0.0/s
  state-mismatch                        57            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                            116            0.0/s
  synproxy                               0            0.0/s


[root at castor /var/log]# for log in pflog.?.bz2 ; do bzcat $log|tcpdump -r - port ssh ; done
reading from file -, link-type PFLOG (OpenBSD pflog file)
reading from file -, link-type PFLOG (OpenBSD pflog file)
reading from file -, link-type PFLOG (OpenBSD pflog file)
reading from file -, link-type PFLOG (OpenBSD pflog file)

[root at castor ~]# pfctl -sr
scrub in all fragment reassemble
block return in log on bce1 all
block drop in quick on bce1 from <martians> to any
block return out quick on bce1 from any to <martians>
pass out quick on bce1 from <granted_out_net> to any flags S/SA keep state
block drop in quick from <abusive_hosts> to any
pass quick inet proto tcp from any to 38.X.X.X port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush global, src.track 60)
pass quick inet proto tcp from any to 38.X.X.X port = domain flags S/SA keep state
pass quick inet proto udp from any to 38.X.X.X port = domain keep state
pass quick inet proto udp from any to 38.X.X.X port = openvpn keep state
pass quick inet proto icmp from any to 38.X.X.X icmp-type squench no state
pass quick inet proto icmp from any to 38.X.X.X icmp-type unreach no state
pass quick inet proto icmp from any to 38.X.X.X icmp-type timex no state
pass quick inet proto icmp from any to 38.X.X.X icmp-type echoreq no state
pass quick inet proto udp from any to 38.X.X.X port 33434:33523 keep state

Thanks,
Vadym

More information about the freebsd-pf mailing list