Thousands of ssh probes

John john at
Fri Mar 5 17:02:55 UTC 2010

On Fri, Mar 05, 2010 at 05:54:50PM +0100, Matthias Fechner wrote:
> Hi,
> Am 05.03.10 17:01, schrieb Matthew Seaman:
> >table <ssh-bruteforce> persist
> >[...near the top of the rules section...]
> >block drop in log quick on $ext_if from<ssh-bruteforce>
> >
> >[...later in the rules section...]
> >pass in on $ext_if proto tcp      \
> >      from any to $ext_if port ssh \
> >      flags S/SA keep state        \
> >      (max-src-conn-rate 3/30, overload<ssh-bruteforce>  flush global)
> >   
> that is dangarous, if you use subversion over ssh you will sometimes get 
> more then 10 requests in 30 seconds.
> That means you will also block users they are allowed to connect.

OK - that's good to know - but I'm not using subversion at this
time, and this is working nicely so far.  I've already picked off
one hacker.

# pfctl -t ssh-bruteforce -T show
No ALTQ support in kernel
ALTQ related functions disabled

Mar  5 10:40:05 elwood sshd[18452]: Invalid user test from
Mar  5 10:40:10 elwood sshd[18457]: Invalid user admin from

Apparently got him on the third attempt, just as advertised.

John Lind
john at starfire.MN.ORG

The inherent vice of capitalism is the unequal sharing of blessings;
the inherent virtue of socialism is the equal sharing of miseries.
  - Winston Churchill

More information about the freebsd-questions mailing list