machine hangs on occasion - correlated with ssh break-in
attempts
Mike Tancsa
mike at sentex.net
Fri Aug 22 13:48:07 UTC 2008
At 04:37 PM 8/21/2008, Brooks Davis wrote:
>On Thu, Aug 21, 2008 at 10:10:42PM +0200, Rink Springer wrote:
> > On Thu, Aug 21, 2008 at 01:03:09PM -0700, Jeremy Chadwick wrote:
> > > Finally, consider moving to pf instead, if you really feel ipfw is
> > > what's causing your machine to crash. You might be pleasantly surprised
> > > by the syntax, and overall administrative usability (it is significantly
> > > superior to ipfw, IMHO).
> >
> > In fact, pf can already do this out-of-the-box, by doing something like:
> >
> > table <sshlusers> persist
> > pass quick on $wan_if proto tcp from any to any port ssh flags S/SA keep
> > state \
> > (max-src-conn 15, max-src-conn-rate 5/3, overload <sshlusers> flush
> > global)
> >
> > If that is not an option, I have found that security/denyhosts works
> > pretty well too (it just adds IP's to /etc/hosts.deniedssh, and
> > host_access(5) denies them based on this)
>
>You almost certainly don't want to rate limit ssh connections, only failed
>ones. If you rate limit connections and use svn, you're likely to lock your
>self out.
I find a happy balance is to exclude trusted CIDR blocks from the
rate limiting and let everything else be limited.
e.g.
table <bruteforce> persist
table <SSHTRUSTED> {192.168.0.0/16,1.0.0.0/24}
block log quick proto tcp from <bruteforce> to any port 22
block in log on $ext_if all
pass log quick proto { tcp } from {!<SSHTRUSTED>} to $myaddress port ssh \
flags S/SA keep state \
(max-src-conn 6, max-src-conn-rate 3/30, \
overload <bruteforce> flush global)
pass in on $ext_if inet proto tcp from <SSHTRUSTED> to $ext_if port
ssh keep state
and then a crontab entry
*/5 * * * * /usr/local/sbin/expiretable -v -t 5m bruteforce
---Mike
More information about the freebsd-stable
mailing list