I've set up a max-src-conn-rate rule on my gateway router to
mitigate brute-force ssh attacks. This router protects a /28
subnet, 25.108.82.80/28.
The relevant rules:
# pfctl -sr | grep attack
block drop in log quick proto tcp from <sshd_attackers> to any
pass in log proto tcp from any to any port = ssh keep state
(source-track rule, max-src-conn-rate 3/30, overload
<sshd_attackers> flush global, src.track 30)
#
What the three columns of output in the below tcpdump output are:
timestamp, rule action, and target host. As you can tell from
the tcpdump command, the sending host is the same in all cases,
208.53.147.204
# tcpdump -enr /var/log/pflog host 208.53.147.204 \
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
12:09:45.849594 pass 25.103.82.80
12:09:45.850279 pass 25.103.82.82
12:09:45.850827 pass 25.103.82.83
12:09:45.851310 pass 25.103.82.84
12:09:45.852003 pass 25.103.82.85
12:09:45.852496 pass 25.103.82.86
12:09:45.853007 pass 25.103.82.87
12:09:45.866580 pass 25.103.82.88
12:09:45.867345 pass 25.103.82.89
12:09:45.868339 pass 25.103.82.92
12:09:45.902389 pass 25.103.82.95
12:25:52.632295 pass 25.103.82.80
12:25:52.632973 pass 25.103.82.82
12:25:52.648804 pass 25.103.82.83
12:25:52.684792 pass 25.103.82.84
12:25:52.687989 pass 25.103.82.85
12:25:52.688652 pass 25.103.82.86
12:25:52.690882 pass 25.103.82.87
12:25:52.691371 pass 25.103.82.88
12:25:52.692290 pass 25.103.82.89
12:25:52.695340 pass 25.103.82.92
12:25:52.698864 pass 25.103.82.95
13:08:36.949178 pass 25.103.82.87
13:08:38.864585 pass 25.103.82.87
13:08:40.452215 pass 25.103.82.87
13:08:42.038388 pass 25.103.82.87
13:08:46.923469 block 25.103.82.88
13:08:49.922116 block 25.103.82.88
13:08:50.212040 block 25.103.82.87
13:08:51.099435 block 25.103.82.87
#
It seems to me like this host should have been blocked back at
12:09:45, not 13:08:46. Am I misunderstanding the rule?
--david
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
