brutal SSH attacks
Vadym Chepkov
vchepkov at gmail.com
Wed Feb 9 00:51:45 UTC 2011
On Feb 8, 2011, at 7:47 PM, Luke Jee wrote:
> Hi Vadyam,
>
> try this:
> table <abusive_hosts>
>
> remove persist, i remember it means table will readonly
That contradicts the manual:
Tables may be defined with the following two attributes:
persist The persist flag forces the kernel to keep the table even when
no rules refer to it. If the flag is not set, the kernel will
automatically remove the table when the last rule referring to
it is flushed.
const The const flag prevents the user from altering the contents of
the table once it has been created. Without that flag, pfctl(8)
can be used to add or remove addresses from the table at any
time, even when running with securelevel(7) = 2.
For example,
table <private> const { 10/8, 172.16/12, 192.168/16 }
table <badhosts> persist
block on fxp0 from { <private>, <badhosts> } to any
>
> On Wed, Feb 9, 2011 at 2:11 AM, Vadym Chepkov <vchepkov at gmail.com> wrote:
> Hi,
>
> Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work.
>
> Here are the relevant parts:
>
> /etc/ssh/sshd_config
>
> PasswordAuthentication no
> MaxAuthTries 1
>
> /etc/pf.conf
>
> block in log on $wan_if
>
> table <abusive_hosts> persist
> block drop in quick from <abusive_hosts>
>
> pass quick proto tcp to $wan_if port ssh keep state \
> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush global)
>
> I would expect if somebody tried to make more then 9 connections a minute would have been blocked.
>
> But it's not the case:
>
> Feb 7 19:20:03 castor sshd[21416]: Invalid user peyton from 113.185.0.16
> Feb 7 19:20:06 castor sshd[21418]: Invalid user lindsey from 113.185.0.16
> Feb 7 19:20:10 castor sshd[21420]: Invalid user ashlyn from 113.185.0.16
> Feb 7 19:20:13 castor sshd[21422]: Invalid user carly from 113.185.0.16
> Feb 7 19:20:17 castor sshd[21424]: Invalid user marissa from 113.185.0.16
> Feb 7 19:20:20 castor sshd[21426]: Invalid user gracie from 113.185.0.16
> Feb 7 19:20:24 castor sshd[21428]: Invalid user sierra from 113.185.0.16
> Feb 7 19:20:27 castor sshd[21430]: Invalid user lillian from 113.185.0.16
> Feb 7 19:20:31 castor sshd[21432]: Invalid user jillian from 113.185.0.16
> Feb 7 19:20:34 castor sshd[21434]: Invalid user reagan from 113.185.0.16
> Feb 7 19:20:37 castor sshd[21436]: Invalid user shelby from 113.185.0.16
> Feb 7 19:20:41 castor sshd[21438]: Invalid user amelia from 113.185.0.16
> Feb 7 19:20:44 castor sshd[21442]: Invalid user jada from 113.185.0.16
> Feb 7 19:20:48 castor sshd[21444]: Invalid user kendall from 113.185.0.16
> Feb 7 19:20:51 castor sshd[21446]: Invalid user courtney from 113.185.0.16
> Feb 7 19:20:54 castor sshd[21448]: Invalid user brooklyn from 113.185.0.16
> Feb 7 19:20:58 castor sshd[21450]: Invalid user autumn from 113.185.0.16
> Feb 7 19:21:01 castor sshd[21452]: Invalid user mary from 113.185.0.16
>
> What did I miss?
>
> Thank you,
> Vadym
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
>
>
> --
> Luke Jee
> CEO
> Prevantage Corporation
More information about the freebsd-pf
mailing list