brutal SSH attacks
Damien Fleuriot
ml at my.gd
Thu Feb 10 14:13:14 UTC 2011
On 2/8/11 11:06 PM, Vadym Chepkov wrote:
>
> On Feb 8, 2011, at 2:58 PM, Mike Tancsa wrote:
>
>> On 2/8/2011 1:11 PM, Vadym Chepkov wrote:
>>> Hi,
>>>
>>> Could somebody help in figuring out why PF configuration meant to prevent brutal SSH attacks doesn't work.
>>>
>>> Here are the relevant parts:
>>>
>>> /etc/ssh/sshd_config
>>>
>>> PasswordAuthentication no
>>> MaxAuthTries 1
>>>
>>> /etc/pf.conf
>>>
>>> block in log on $wan_if
>>>
>>> table <abusive_hosts> persist
>>> block drop in quick from <abusive_hosts>
>>>
>>> pass quick proto tcp to $wan_if port ssh keep state \
>>> (max-src-conn 10, max-src-conn-rate 9/60, overload <abusive_hosts> flush global)
>>
>>
>> On RELENG_7 and 8 I use something like that. Is there a different IP
>> they might be connecting to that is not covered under $wan_if?
>>
>
> That would mean this rule doesn't work:
>
> block in log on $wan_if
>
>
No it wouldn't.
Your "block in log on $wan_if" rule is not quick, which means the
ruleset evaluation continues.
If another rule further down matches (the pass in quick for instance)
then it is applied instead.
normal rules: last match is applied to the packet
quick rules: first match is applied and ruleset evaluation ends
On a side note, I think you are under no obligation to add the "keep
state" bit to the rule.
Rules default to "keep state flags S/SA".
More information about the freebsd-pf
mailing list