brutal SSH attacks
Vadym Chepkov
vchepkov at gmail.com
Wed Feb 9 00:11:42 UTC 2011
On Feb 8, 2011, at 7:01 PM, Helmut Schneider wrote:
>>> Check your pflog. The ruleset itself seems fine (if it is complete and you did not forget to post
>>> a vital part). We also can assume that pf is enabled, can we?
>>
>> What should I be looking for in pflog? I can't find anything ssh related. I posted full ruleset too.
> [...]
>> [root at castor /var/log]# for log in pflog.?.bz2 ; do bzcat $log|tcpdump -r - port ssh ; done
>> reading from file -, link-type PFLOG (OpenBSD pflog file)
>> reading from file -, link-type PFLOG (OpenBSD pflog file)
>> reading from file -, link-type PFLOG (OpenBSD pflog file)
>> reading from file -, link-type PFLOG (OpenBSD pflog file)
>
> Well...
>
>> block drop in quick from <abusive_hosts> to any
>> pass quick inet proto tcp from any to 38.X.X.X port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush global, src.track 60)
>
> "block drop in quick log..." and "pass quick inet proto log" might be useful. BTW, what version of FreeBSD are you using? The machine isn't multi-homed, is it?
8.1-RELEASE-p1, just one external interface.
I will add "log" to "pass ssh", but what would I "block drop in quick" though?
Vadym
More information about the freebsd-pf
mailing list