On 1/10/08, Ken [EMAIL PROTECTED] wrote:
snip
I never see anything like that, since my pf rules only allow me to ssh back
to home from my work IP range.
In the space of about 15 minutes before I enabled pf all of the following
users were tried, probably
by an automated script:
snip
It
Kennith Mann III wrote:
...
While moving the SSH port doesn't help much against anyone running an
nmap scan, it stops blind port 22 scans that run generic password
hacks and filling your logs with crap,
Overloads help a bit:
pass in on $ext_if proto tcp to ($ext_if) port ssh
On Fri, Jan 11, 2008 at 09:28:57AM +, Khalid Schofield wrote:
put this in pf.conf
Is not this missing from the recipe:?
block quick from ssh-bruteforce
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30,
On Fri, Jan 11 2008 at 24:11, Lars Nood?n wrote:
Kennith Mann III wrote:
...
While moving the SSH port doesn't help much against anyone running an
nmap scan, it stops blind port 22 scans that run generic password
hacks and filling your logs with crap,
Overloads help a bit:
Claer [EMAIL PROTECTED] writes:
I always hesitate to use this trick. Could you please develop more the
implications of this method? Is it still effective?
Yes, it's still effective. You need to put in whatever values you
feel are appropriate for your network and users. In Lars' example,
http://home.nuug.no/~peter/pf/en/long-firewall.html#BRUTEFORCE
Best
Martin
On Fri, Jan 11 2008 at 47:11, Peter N. M. Hansteen wrote:
Claer [EMAIL PROTECTED] writes:
I always hesitate to use this trick. Could you please develop more the
implications of this method? Is it still effective?
Yes, it's still effective. You need to put in whatever values you
feel are
On 2008/01/11 12:33, Lars Noodin wrote:
I suppose another option is to use pf to filter out all incoming traffic
to the servers originating from Windows computers
you can take a look for yourself with tcpdump -O, but I think you'll
find the ssh scans are more likely to be from some variety of
put this in pf.conf
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload ssh-bruteforce flush
global)
:)
enjoy
On 10 Jan 2008, at 21:53, Ken wrote:
A practical example, real life, last night.
I was
dam you seconds ahead of my reply with the same info :)
On 11 Jan 2008, at 09:24, Lars Noodin wrote:
Kennith Mann III wrote:
...
While moving the SSH port doesn't help much against anyone running an
nmap scan, it stops blind port 22 scans that run generic password
hacks and filling your
Claer wrote:
On Fri, Jan 11 2008 at 24:11, Lars Nood?n wrote:
...
Regarding the logs, one thing that worked in the past was giving the
netblock owner a hard time. It's their responsibility. It's not too
hard to make up a shellscript (or use another scripting language) which
automates a
On Fri, Jan 11, 2008 at 10:51:41AM +, Stuart Henderson wrote:
On 2008/01/11 12:33, Lars Noodin wrote:
I suppose another option is to use pf to filter out all incoming traffic
to the servers originating from Windows computers
you can take a look for yourself with tcpdump -O, but I
Peter N. M. Hansteen wrote:
Claer [EMAIL PROTECTED] writes:
I always hesitate to use this trick. Could you please develop more the
implications of this method? Is it still effective?
Yes, it's still effective. You need to put in whatever values you
feel are appropriate for your network
successful passes only.
/Scott
-Original Message-
From: Raimo Niskanen [EMAIL PROTECTED]
To: misc@openbsd.org
Subject: Re: : SSH Brute Force Attacks Abound - and thanks!
Date: Fri, 11 Jan 2008 11:12:00 +0100
Mailer: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
On Fri, Jan 11, 2008 at 09:28:57AM
On Fri, Jan 11, 2008 at 11:07:49AM +0001, Jason McIntyre wrote:
| an inclusive match is usually better e.g.
| pass proto tcp from any os OpenBSD to port ssh
|
| that could be less useful if you have ipv6 connections in, no? since
| pf.os(5) claims only to be able to fingerprint hosts that
Lars NoodC)n wrote:
I suppose another option is to use pf to filter out all incoming traffic
to the servers originating from Windows computers maybe except to
relevant services like http port or https. If we could see a blanket
ban on connecting Windows machines to the net, things would
On 2008/01/11 11:07, Jason McIntyre wrote:
On Fri, Jan 11, 2008 at 10:51:41AM +, Stuart Henderson wrote:
On 2008/01/11 12:33, Lars Noodin wrote:
I suppose another option is to use pf to filter out all incoming traffic
to the servers originating from Windows computers
you can
On 2008/01/11 12:18, Claer wrote:
Sorry for not being that clear. I was talking about auto mailing whois
address block abuse contacts.
maybe you could get it to auto-mail *you* with the details to make
it easier to send that onwards, but don't auto-mail whois contacts.
you're asking people to
A practical example, real life, last night.
I was replacing my hard drive on my home broadband OBSD firewall, and it was
taking a few minutes
to copy over the old pf.conf and enable the firewall. I had installed the
latest snapshot as a
fresh image and restarted. It took a little while to
Wow, I read your email and checked my authlog and was
astounded by the number hack attempts. Thankfully, I
configured my OpenBSD firewall with recommended access
controls. Thanks to all the dedicated OpenBSD
developers and community! Support the project and
encourage the purchase of more
21 matches
Mail list logo