David, Was the offending client completing the 3-way handshake everytime it connected?
For stateful TCP connections, limits on established connections (connec- tions which have completed the TCP 3-way handshake) can also be enforced per source IP. The max-src-conn-rate <number>/<seconds> limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average. You may also want to use synproxy for ssh and take a look at max-src-states. I have examples here: http://calomel.org/pf_config.html -- Calomel @ http://calomel.org On Tue, Oct 23, 2007 at 03:58:52PM -0500, david l goodrich wrote: >Nobody? Sad, it's still doing it. > > >On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: >> I've set up a max-src-conn-rate rule on my gateway router to >> mitigate brute-force ssh attacks. This router protects a /28 >> subnet, 25.108.82.80/28. >> >> The relevant rules: >> >> # pfctl -sr | grep attack >> block drop in log quick proto tcp from <sshd_attackers> to any >> pass in log proto tcp from any to any port = ssh keep state >> (source-track rule, max-src-conn-rate 3/30, overload >> <sshd_attackers> flush global, src.track 30) >> # >> >> What the three columns of output in the below tcpdump output are: >> timestamp, rule action, and target host. As you can tell from >> the tcpdump command, the sending host is the same in all cases, >> 208.53.147.204 >> >> # tcpdump -enr /var/log/pflog host 208.53.147.204 \ >> > | awk '{print $1,$4,$11}' | sed s/.22:// | head -30 >> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) >> 12:09:45.849594 pass 25.103.82.80 >> 12:09:45.850279 pass 25.103.82.82 >> 12:09:45.850827 pass 25.103.82.83 >> 12:09:45.851310 pass 25.103.82.84 >> 12:09:45.852003 pass 25.103.82.85 >> 12:09:45.852496 pass 25.103.82.86 >> 12:09:45.853007 pass 25.103.82.87 >> 12:09:45.866580 pass 25.103.82.88 >> 12:09:45.867345 pass 25.103.82.89 >> 12:09:45.868339 pass 25.103.82.92 >> 12:09:45.902389 pass 25.103.82.95 >> 12:25:52.632295 pass 25.103.82.80 >> 12:25:52.632973 pass 25.103.82.82 >> 12:25:52.648804 pass 25.103.82.83 >> 12:25:52.684792 pass 25.103.82.84 >> 12:25:52.687989 pass 25.103.82.85 >> 12:25:52.688652 pass 25.103.82.86 >> 12:25:52.690882 pass 25.103.82.87 >> 12:25:52.691371 pass 25.103.82.88 >> 12:25:52.692290 pass 25.103.82.89 >> 12:25:52.695340 pass 25.103.82.92 >> 12:25:52.698864 pass 25.103.82.95 >> 13:08:36.949178 pass 25.103.82.87 >> 13:08:38.864585 pass 25.103.82.87 >> 13:08:40.452215 pass 25.103.82.87 >> 13:08:42.038388 pass 25.103.82.87 >> 13:08:46.923469 block 25.103.82.88 >> 13:08:49.922116 block 25.103.82.88 >> 13:08:50.212040 block 25.103.82.87 >> 13:08:51.099435 block 25.103.82.87 >> # >> >> It seems to me like this host should have been blocked back at >> 12:09:45, not 13:08:46. Am I misunderstanding the rule? >> --david >> >> [demime 1.01d removed an attachment of type application/pgp-signature which >had a name of signature.asc] > >[demime 1.01d removed an attachment of type application/pgp-signature which >had a name of signature.asc]