Re: max-src-conn-rate rule question

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: david l goodrich

Subject: Re: max-src-conn-rate rule question

Date: Tuesday, October 23, 2007 - 1:58 pm

Nobody?  Sad, it's still doing it.


On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
quoted text> I've set up a max-src-conn-rate rule on my gateway router to
> mitigate brute-force ssh attacks.  This router protects a /28
> subnet, 25.108.82.80/28.
>
> The relevant rules:
>
> # pfctl -sr | grep attack
> block drop in log quick proto tcp from <sshd_attackers> to any
> pass in log proto tcp from any to any port = ssh keep state
> (source-track rule, max-src-conn-rate 3/30, overload
> <sshd_attackers> flush global, src.track 30)
> #
>
> What the three columns of output in the below tcpdump output are:
> timestamp, rule action, and target host.  As you can tell from
> the tcpdump command, the sending host is the same in all cases,
> 208.53.147.204
>
> # tcpdump -enr /var/log/pflog host 208.53.147.204 \
> >       | awk '{print ,,}' | sed s/.22:// | head -30
> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
> 12:09:45.849594 pass 25.103.82.80
> 12:09:45.850279 pass 25.103.82.82
> 12:09:45.850827 pass 25.103.82.83
> 12:09:45.851310 pass 25.103.82.84
> 12:09:45.852003 pass 25.103.82.85
> 12:09:45.852496 pass 25.103.82.86
> 12:09:45.853007 pass 25.103.82.87
> 12:09:45.866580 pass 25.103.82.88
> 12:09:45.867345 pass 25.103.82.89
> 12:09:45.868339 pass 25.103.82.92
> 12:09:45.902389 pass 25.103.82.95
> 12:25:52.632295 pass 25.103.82.80
> 12:25:52.632973 pass 25.103.82.82
> 12:25:52.648804 pass 25.103.82.83
> 12:25:52.684792 pass 25.103.82.84
> 12:25:52.687989 pass 25.103.82.85
> 12:25:52.688652 pass 25.103.82.86
> 12:25:52.690882 pass 25.103.82.87
> 12:25:52.691371 pass 25.103.82.88
> 12:25:52.692290 pass 25.103.82.89
> 12:25:52.695340 pass 25.103.82.92
> 12:25:52.698864 pass 25.103.82.95
> 13:08:36.949178 pass 25.103.82.87
> 13:08:38.864585 pass 25.103.82.87
> 13:08:40.452215 pass 25.103.82.87
> 13:08:42.038388 pass 25.103.82.87
> 13:08:46.923469 block 25.103.82.88
> 13:08:49.922116 block 25.103.82.88
> 13:08:50.212040 block 25.103.82.87
> 13:08:51.099435 block 25.103.82.87
> #
>
> It seems to me like this host should have been blocked back at
> 12:09:45, not 13:08:46.  Am I misunderstanding the rule?
>   --david
>
> [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

max-src-conn-rate rule question, david l goodrich, (Sun Oct 21, 12:22 pm)

Re: max-src-conn-rate rule question, david l goodrich, (Tue Oct 23, 1:58 pm)

Re: max-src-conn-rate rule question, Calomel, (Tue Oct 23, 2:46 pm)

Re: max-src-conn-rate rule question, Rob, (Tue Oct 23, 2:55 pm)

Re: max-src-conn-rate rule question, david l goodrich, (Tue Oct 23, 5:30 pm)

Re: max-src-conn-rate rule question, Rob, (Tue Oct 23, 5:59 pm)

Re: max-src-conn-rate rule question, Vijay Sankar, (Tue Oct 23, 7:36 pm)

Re: max-src-conn-rate rule question, david l goodrich, (Tue Oct 23, 9:02 pm)

Re: max-src-conn-rate rule question, david l goodrich, (Tue Oct 23, 9:23 pm)

Re: max-src-conn-rate rule question, Henning Brauer, (Wed Oct 24, 1:12 am)

Re: max-src-conn-rate rule question, Rob, (Wed Oct 24, 5:26 am)

Re: max-src-conn-rate rule question, Calomel, (Wed Oct 24, 8:40 am)

Navigation

Popular discussions


linux-kernel:
Ken Chen	[patch] sched: fix inconsistency when redistribute per-cpu tg->cfs_rq shares.
Ingo Molnar	Re: [PATCH v3] x86: merge the simple bitops and move them to bitops.h
Jan Engelhardt	Re: [PATCH] Allow Kconfig to set default mmap_min_addr protection
Dmitry Torokhov	Re: [2.6 patch] input/serio/hp_sdc.c section fix
Rafael J. Wysocki	[Bug #16380] Loop devices act strangely in 2.6.35
git:
Steven Grimm	Using git as a general backup mechanism (was Re: Using GIT to store /etc)
Jeff King	Re: [PATCH] git-reset: allow --soft in a bare repo
Johannes Sixt	Re: [PATCH 01/14] msvc: Fix compilation errors in compat/win32/sys/poll.c
Johannes Schindelin	Re: [PATCH] Uninstall rule for top level Makefile
Shawn O. Pearce	Re: [PATCH v2] Speed up bash completion loading
git-commits-head:
Linux Kernel Mailing List	cgroups: clean up cgroup_pidlist_find() a bit
Linux Kernel Mailing List	sony-laptop: Add support for extended hotkeys
Linux Kernel Mailing List	IB/core: Add support for masked atomic operations
Linux Kernel Mailing List	V4L/DVB (8939): cx18: fix sparse warnings
Linux Kernel Mailing List	ipv6 mcast: Check address family of gf_group in getsockopt(MS_FILTER).
linux-netdev:
Inaky Perez-Gonzalez	[PATCH 40/40] wimax/i2400m: add CREDITS and MAINTAINERS entries
Karsten Keil	[mISDN PATCH v2 05/19] Reduce stack size in dsp_cmx_send()
linux	Re: 2.6.23-rc8 network problem. Mem leak? ip1000a?
David Miller	Re: tun: Use netif_receive_skb instead of netif_rx
David Miller	Re: [net-next PATCH v2] llc enhancements
freebsd-current:
Matthew Fleming	Re: [RFC] Outline of USB process integration in the kernel taskqueue system
illoai@gmail.com	Re: OT: 2d password
Hartmut Brandt	Re: problem with nss_ldap
Andrew Reilly	Re: FreeBSD's problems as seen by the BSDForen.de community
Max Laier	Re: Upcoming ABI Breakage in RELENG_7

Colocation donated by:

Syndicate