Re: Limit connections doens't work

Vitaliy Vladimirovich Sun, 06 Dec 2009 01:19:36 -0800

  
--- Original Message ---  
From: Nico De Dobbeleer <[email protected]>  
To: [email protected]  
Date: 5 december, 16:09:52  
Subject: Limit connections doens't work  
  
  Hello,  
  
As most of the public ip's my servers are constantly under bruteforce attack 
see example:  
  
Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 
173.10.126.226 port 47871 ssh2  
Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226 
 
Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 
from 173.10.126.226 port 48289 ssh2  
Dec 5 13:56:41 hosting sshd[18625]: Invalid user support from 173.10.126.226  
Dec 5 13:56:43 hosting sshd[18625]: Failed password for invalid user support 
from 173.10.126.226 port 48676 ssh2  
Dec 5 13:56:47 hosting sshd[18627]: Invalid user jnanchito from 173.10.126.226  
Dec 5 13:56:50 hosting sshd[18627]: Failed password for invalid user jnanchito 
from 173.10.126.226 port 49122 ssh2  
Dec 5 13:56:51 hosting sshd[18629]: Invalid user rtorres from 173.10.126.226  
Dec 5 13:56:53 hosting sshd[18629]: Failed password for invalid user rtorres 
from 173.10.126.226 port 49872 ssh2  
Dec 5 13:56:55 hosting sshd[18631]: Invalid user jatema from 173.10.126.226  
Dec 5 13:56:57 hosting sshd[18631]: Failed password for invalid user jatema 
from 173.10.126.226 port 50293 ssh2  
Dec 5 13:57:01 hosting sshd[18633]: Failed password for invalid user root from 
173.10.126.226 port 50702 ssh2  
Dec 5 13:57:04 hosting sshd[18635]: Failed password for invalid user root from 
173.10.126.226 port 51154 ssh2  
Dec 5 13:57:06 hosting sshd[18637]: Invalid user boss from 173.10.126.226  
Dec 5 13:57:08 hosting sshd[18637]: Failed password for invalid user boss from 
173.10.126.226 port 51507 ssh2  
Dec 5 13:57:09 hosting sshd[18639]: Invalid user sasha from 173.10.126.226  
Dec 5 13:57:11 hosting sshd[18639]: Failed password for invalid user sasha from 
173.10.126.226 port 51929 ssh2  
Dec 5 13:57:13 hosting sshd[18641]: Invalid user vic from 173.10.126.226  
Dec 5 13:57:14 hosting sshd[18641]: Failed password for invalid user vic from 
173.10.126.226 port 52321 ssh2  
Dec 5 13:57:16 hosting sshd[18643]: Invalid user ranjith from 173.10.126.226  
Dec 5 13:57:18 hosting sshd[18643]: Failed password for invalid user ranjith 
from 173.10.126.226 port 52650 ssh2  
Dec 5 13:57:21 hosting sshd[18645]: Failed password for invalid user root from 
173.10.126.226 port 53087 ssh2  
Dec 5 13:57:25 hosting sshd[18647]: Failed password for invalid user root from 
173.10.126.226 port 53447 ssh2  
Dec 5 13:57:29 hosting sshd[18649]: Failed password for invalid user root from 
173.10.126.226 port 53852 ssh2  
  
Now I want to limit the connection over ssh to a specific ipaddress and I added 
the rules below for that.  
------------------------------------------------------------------------------------------------------------------
  
#Tables  
table <abusive_ips> persist file "/etc/pf.abusive_ips.block.list"  
table <brute> persist  
  
# Rules  
  
block quick from <abusive_ips>  
block quick from <brute>  
  
# Limit connections per IP  
  
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to 
xx.xx.xx.xx port ssh flags S/SA keep state  
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)  
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to 
xx.xx.xx.xx port ssh flags S/SA keep state  
(max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush)  
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to 
xx.xx.xx.xx port ssh flags S/SA keep state  
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)  
--------------------------------------------------------------------------------------------------------------------
  
  
The only problem is that it doesn't work. These rules don't write the abusive 
ip in the abusif list file or in the <brute> table.  
  
Anyone an idea why it doesn't overload the ip's when the connections per ip are 
more then 10 of more then 3/15?  
  
With kind regards,  
Nico De Dobbeleer  
  
_______________________________________________  
[email protected] mailing list  
http://lists.freebsd.org/mailman/listinfo/freebsd-pf  
To unsubscribe, send any mail to "[email protected]"    
  
    I think you should specify


source-track rule (rule or lobal) in your rulesLike this:  
  
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to 
xx.xx.xx.xx port ssh flags S/SA keep state  
(max 10, source-track rule, max-src-conn 10, max-src-conn-rate 3/15, overload 
<abusive_ips> flush)  
  
  
See in PF FAQ  
  

Stateful Tracking Options.


_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"

Re: Limit connections doens't work

Reply via email to