On 10/23/07, david l goodrich <dlg@dsrw.org> wrote:
quoted text
> On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote:
> > > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:
> > > > I've set up a max-src-conn-rate rule on my gateway router to
> > > > mitigate brute-force ssh attacks.  This router protects a /28
> > > > subnet, 25.108.82.80/28.
> > > >
> > > > The relevant rules:
> > > >
> > > > # pfctl -sr | grep attack
> > > > block drop in log quick proto tcp from <sshd_attackers> to any
> > > > pass in log proto tcp from any to any port = ssh keep state
> > > > (source-track rule, max-src-conn-rate 3/30, overload
> > > > <sshd_attackers> flush global, src.track 30)
> > > > #
> >
> > I'm not a pf newbie by any means, but I'm not really qualified to
> > answer questions about it either. That said, I don't usually use an
> > '=' sign in my pf rules, and the pf faq doesn't list that as one of
> > the accepted operators for the port range
> > (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being
> > parsed correctly, it would cause the behavior you're seeing. Try,
>
> I don't have an = sign in my rule, either, i have it in pf.conf as:
>
> pass in log proto tcp from any to any port ssh \
>         keep state (max-src-conn-rate 3/30, \
>                         overload <sshd_attackers> flush global)
>
> but when i look at my rules with pfctl -sr it shows the =.
>
> >
> > block in log quick proto tcp port ssh keep state \
> >    (source-track rule, max-src-conn-rate 3 / 30 overload
> > <sshd_attackers>, src.track 30)
>
> I want to pass ssh traffic by default, so a block rule won't be
> terribly helpful.

Whoops, that was a big ol' typo. That should've been a pass, sorry.

quoted text
> > Note that I wouldn't use a flush global directive for a rule like
> > this, because it can lead to a neat DoS where somebody can spoof one
> > of your own IP addresses and shut down any ssh sessions you have
> > active.
> >
> > Here's a working sample from my own currently active pf file:
> >
> > pass in on $ext proto tcp to <server6> port smtp keep state \
> >    (max-src-conn 15 max-src-conn-rate 10 / 45 overload <smtp-overload>) \
> >    queue 6smtp
>
> Mine's pretty similar, if a bit more verbose.  And I don't use
> max-src-conn or queueing.

Huh.

What's your output from pfctl -s rules -v ?

Also, I should parrot some of the earlier conversations that have been
on this list on this subject (limiting attempts at ssh attacks). Doing
this with a max-src-conn-rate rule probably isn't what you really want
to do anyway; there are some good log file analyzers which would be
better suited to this (see http://www.ossec.net/,
http://www.ossec.net/en/attacking-loganalysis.html, and
http://marc.info/?l=openbsd-misc&m=118660109014882&w=2); strong ssh
passwords are the best defense against dictionary attacks; etc. At
best, all you're really doing is keeping your authlog a bit leaner,
and maybe compiling a list of evildoers.

- R.

- R.