On October 23, 2007 07:30:25 pm david l goodrich wrote: > On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote: > > On 10/23/07, david l goodrich <[EMAIL PROTECTED]> wrote: > > > Nobody? Sad, it's still doing it. > > > > > > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote: > > > > I've set up a max-src-conn-rate rule on my gateway router to > > > > mitigate brute-force ssh attacks. This router protects a /28 > > > > subnet, 25.108.82.80/28. > > > > > > > > The relevant rules: > > > > > > > > # pfctl -sr | grep attack > > > > block drop in log quick proto tcp from <sshd_attackers> to any > > > > pass in log proto tcp from any to any port = ssh keep state > > > > (source-track rule, max-src-conn-rate 3/30, overload > > > > <sshd_attackers> flush global, src.track 30) > > > > # > > > > > > > > What the three columns of output in the below tcpdump output are: > > > > timestamp, rule action, and target host. As you can tell from > > > > the tcpdump command, the sending host is the same in all cases, > > > > 208.53.147.204 > > > > I'm not a pf newbie by any means, but I'm not really qualified to > > answer questions about it either. That said, I don't usually use an > > '=' sign in my pf rules, and the pf faq doesn't list that as one of > > the accepted operators for the port range > > (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being > > parsed correctly, it would cause the behavior you're seeing. Try, > > I don't have an = sign in my rule, either, i have it in pf.conf as: > > pass in log proto tcp from any to any port ssh \ > keep state (max-src-conn-rate 3/30, \ > overload <sshd_attackers> flush global) > > but when i look at my rules with pfctl -sr it shows the =. > > > block in log quick proto tcp port ssh keep state \ > > (source-track rule, max-src-conn-rate 3 / 30 overload > > <sshd_attackers>, src.track 30) > > I want to pass ssh traffic by default, so a block rule won't be > terribly helpful. > > > Note that I wouldn't use a flush global directive for a rule like > > this, because it can lead to a neat DoS where somebody can spoof one > > of your own IP addresses and shut down any ssh sessions you have > > active. > > > > Here's a working sample from my own currently active pf file: > > > > pass in on $ext proto tcp to <server6> port smtp keep state \ > > (max-src-conn 15 max-src-conn-rate 10 / 45 overload <smtp-overload>) \ > > queue 6smtp > > Mine's pretty similar, if a bit more verbose. And I don't use > max-src-conn or queueing. > --david > > > (FYI, the smtp-overload table moves traffic to a queue that simply > > throttles the connections a little.) > > > > - R. > > !DSPAM:1,471e93c5217372013633067!
I tried various combinations on my test machine and noticed the following pattern. Setting the max-src-conn to be twice the max-src-conn-rate seems to work better at stopping brute-force SSH attempts. Probably there is no rational basis for this observation and there must be some other explanation. I did try a few combinations and it seemed to have had a positive impact in getting the IP address to the sshd_attackers table at the right max-src-conn-rate. So I am wondering if pass in log proto tcp from any to any port ssh keep state (max-src-conn 6 max-src-conn-rate 3/30, overload <sshd_attackers> flush global) would be an appropriate thing for you to try. Anyways, hope this helps in some way. -- Vijay Sankar, M.Eng., P.Eng. President & CEO ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: [EMAIL PROTECTED]