Home » Mailing list archives » openbsd-misc » 2007 » October » 21

max-src-conn-rate rule question

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: david l goodrich <dlg@...>
To: <misc@...>
Subject: max-src-conn-rate rule question
Date: Sunday, October 21, 2007 - 3:22 pm

I've set up a max-src-conn-rate rule on my gateway router to

mitigate brute-force ssh attacks.  This router protects a /28

subnet, 25.108.82.80/28.


The relevant rules:


# pfctl -sr | grep attack

block drop in log quick proto tcp from  to any

pass in log proto tcp from any to any port = ssh keep state

(source-track rule, max-src-conn-rate 3/30, overload

 flush global, src.track 30)

#


What the three columns of output in the below tcpdump output are:

timestamp, rule action, and target host.  As you can tell from

the tcpdump command, the sending host is the same in all cases,

208.53.147.204


# tcpdump -enr /var/log/pflog host 208.53.147.204 \


reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)

12:09:45.849594 pass 25.103.82.80

12:09:45.850279 pass 25.103.82.82

12:09:45.850827 pass 25.103.82.83

12:09:45.851310 pass 25.103.82.84

12:09:45.852003 pass 25.103.82.85

12:09:45.852496 pass 25.103.82.86

12:09:45.853007 pass 25.103.82.87

12:09:45.866580 pass 25.103.82.88

12:09:45.867345 pass 25.103.82.89

12:09:45.868339 pass 25.103.82.92

12:09:45.902389 pass 25.103.82.95

12:25:52.632295 pass 25.103.82.80

12:25:52.632973 pass 25.103.82.82

12:25:52.648804 pass 25.103.82.83

12:25:52.684792 pass 25.103.82.84

12:25:52.687989 pass 25.103.82.85

12:25:52.688652 pass 25.103.82.86

12:25:52.690882 pass 25.103.82.87

12:25:52.691371 pass 25.103.82.88

12:25:52.692290 pass 25.103.82.89

12:25:52.695340 pass 25.103.82.92

12:25:52.698864 pass 25.103.82.95

13:08:36.949178 pass 25.103.82.87

13:08:38.864585 pass 25.103.82.87

13:08:40.452215 pass 25.103.82.87

13:08:42.038388 pass 25.103.82.87

13:08:46.923469 block 25.103.82.88

13:08:49.922116 block 25.103.82.88

13:08:50.212040 block 25.103.82.87

13:08:51.099435 block 25.103.82.87

#


It seems to me like this host should have been blocked back at

12:09:45, not 13:08:46.  Am I misunderstanding the rule?

  --david


[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
max-src-conn-rate rule question, david l goodrich, (Sun Oct 21, 3:22 pm)
Re: max-src-conn-rate rule question, david l goodrich, (Tue Oct 23, 4:58 pm)
Re: max-src-conn-rate rule question, Rob, (Tue Oct 23, 5:55 pm)
Re: max-src-conn-rate rule question, Henning Brauer, (Wed Oct 24, 4:12 am)
Re: max-src-conn-rate rule question, Rob, (Wed Oct 24, 8:26 am)
Re: max-src-conn-rate rule question, david l goodrich, (Tue Oct 23, 8:30 pm)
Re: max-src-conn-rate rule question, Vijay Sankar, (Tue Oct 23, 10:36 pm)
Re: max-src-conn-rate rule question, Rob, (Tue Oct 23, 8:59 pm)
Re: max-src-conn-rate rule question, david l goodrich, (Wed Oct 24, 12:02 am)
Re: max-src-conn-rate rule question, Calomel, (Tue Oct 23, 5:46 pm)
Re: max-src-conn-rate rule question, david l goodrich, (Wed Oct 24, 12:23 am)
Re: max-src-conn-rate rule question, Calomel, (Wed Oct 24, 11:40 am)