brutal SSH attacks
Vadym Chepkov
vchepkov at gmail.com
Tue Feb 8 23:02:52 UTC 2011
On Feb 8, 2011, at 5:26 PM, Helmut Schneider wrote:
>> Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work.
>
> Check your pflog. The ruleset itself seems fine (if it is complete and you did not forget to post a vital part). We also can assume that pf is enabled, can we?
What should I be looking for in pflog? I can't find anything ssh related. I posted full ruleset too.
[root at castor ~]# service pf status
Status: Enabled for 74 days 00:20:02 Debug: Urgent
State Table Total Rate
current entries 10
searches 94773790 14.8/s
inserts 228426 0.0/s
removals 228416 0.0/s
Counters
match 93343976 14.6/s
bad-offset 0 0.0/s
fragment 11 0.0/s
short 0 0.0/s
normalize 4 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 40706 0.0/s
proto-cksum 354 0.0/s
state-mismatch 57 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 116 0.0/s
synproxy 0 0.0/s
[root at castor /var/log]# for log in pflog.?.bz2 ; do bzcat $log|tcpdump -r - port ssh ; done
reading from file -, link-type PFLOG (OpenBSD pflog file)
reading from file -, link-type PFLOG (OpenBSD pflog file)
reading from file -, link-type PFLOG (OpenBSD pflog file)
reading from file -, link-type PFLOG (OpenBSD pflog file)
[root at castor ~]# pfctl -sr
scrub in all fragment reassemble
block return in log on bce1 all
block drop in quick on bce1 from <martians> to any
block return out quick on bce1 from any to <martians>
pass out quick on bce1 from <granted_out_net> to any flags S/SA keep state
block drop in quick from <abusive_hosts> to any
pass quick inet proto tcp from any to 38.X.X.X port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush global, src.track 60)
pass quick inet proto tcp from any to 38.X.X.X port = domain flags S/SA keep state
pass quick inet proto udp from any to 38.X.X.X port = domain keep state
pass quick inet proto udp from any to 38.X.X.X port = openvpn keep state
pass quick inet proto icmp from any to 38.X.X.X icmp-type squench no state
pass quick inet proto icmp from any to 38.X.X.X icmp-type unreach no state
pass quick inet proto icmp from any to 38.X.X.X icmp-type timex no state
pass quick inet proto icmp from any to 38.X.X.X icmp-type echoreq no state
pass quick inet proto udp from any to 38.X.X.X port 33434:33523 keep state
Thanks,
Vadym
More information about the freebsd-pf
mailing list