Reality check: IPFW sees SSH traffic that sshd does not?

[Carl Makin]

On 22/03/2007, at 1:50 AM, Eygene Ryabinkin wrote:

> You can use the following rule that will put very fast SSH connectors
> to the pf table ssh_scans:
> -----
> pass in quick   on $iface proto tcp from any to $ip port 22 flags S/ 
> AUSPF \
> keep state (max-src-conn 4, max-src-conn-rate 6/1, overload  
> <ssh_scans> flush)
> -----

Interesting, I really must get off my ass and look closely at pf.

I use the Simple Event Correlater (sec, in ports) to parse the auth  
logfile and add ipfw rules blocking the originating site once it sees  
3 authentication failures of any kind from a single address.  One of  
the sec rules looks like this;

-----------------------
type=SingleWithThreshold
ptype=RegExp
pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2
desc=SSH attack from $2
action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed  
password for $1 from $2' /usr/bin/ma
il -s 'SSH Attack from $2' me at myaddress.com
window=60
thresh=3
-----------------------

ipfwadd.sh is just

/sbin/ipfw add 25 deny log tcp from $1 to any in via tun0

-----------------------

I also have a rule that emails me whenever someone successfully logs  
into the system.

It's not foolproof, but it helps.


Carl.