On October 23, 2007 07:30:25 pm david l goodrich wrote:

quoted text
> On Tue, Oct 23, 2007 at 02:55:41PM -0700, Rob wrote:

> > On 10/23/07, david l goodrich  wrote:

> > > Nobody?  Sad, it's still doing it.

> > >

> > > On Sun, Oct 21, 2007 at 02:22:43PM -0500, david l goodrich wrote:

> > > > I've set up a max-src-conn-rate rule on my gateway router to

> > > > mitigate brute-force ssh attacks.  This router protects a /28

> > > > subnet, 25.108.82.80/28.

> > > >

> > > > The relevant rules:

> > > >

> > > > # pfctl -sr | grep attack

> > > > block drop in log quick proto tcp from  to any

> > > > pass in log proto tcp from any to any port = ssh keep state

> > > > (source-track rule, max-src-conn-rate 3/30, overload

> > > >  flush global, src.track 30)

> > > > #

> > > >

> > > > What the three columns of output in the below tcpdump output are:

> > > > timestamp, rule action, and target host.  As you can tell from

> > > > the tcpdump command, the sending host is the same in all cases,

> > > > 208.53.147.204

> >

> > I'm not a pf newbie by any means, but I'm not really qualified to

> > answer questions about it either. That said, I don't usually use an

> > '=' sign in my pf rules, and the pf faq doesn't list that as one of

> > the accepted operators for the port range

> > (http://www.openbsd.org/faq/pf/filter.html). If the rule wasn't being

> > parsed correctly, it would cause the behavior you're seeing. Try,

>

> I don't have an = sign in my rule, either, i have it in pf.conf as:

>

> pass in log proto tcp from any to any port ssh \

>         keep state (max-src-conn-rate 3/30, \

>                         overload  flush global)

>

> but when i look at my rules with pfctl -sr it shows the =.

>

> > block in log quick proto tcp port ssh keep state \

> >    (source-track rule, max-src-conn-rate 3 / 30 overload

> > , src.track 30)

>

> I want to pass ssh traffic by default, so a block rule won't be

> terribly helpful.

>

> > Note that I wouldn't use a flush global directive for a rule like

> > this, because it can lead to a neat DoS where somebody can spoof one

> > of your own IP addresses and shut down any ssh sessions you have

> > active.

> >

> > Here's a working sample from my own currently active pf file:

> >

> > pass in on $ext proto tcp to  port smtp keep state \

> >    (max-src-conn 15 max-src-conn-rate 10 / 45 overload ) \

> >    queue 6smtp

>

> Mine's pretty similar, if a bit more verbose.  And I don't use

> max-src-conn or queueing.

>   --david

>

> > (FYI, the smtp-overload table moves traffic to a queue that simply

> > throttles the connections a little.)

> >

> > - R.

>

> !DSPAM:1,471e93c5217372013633067!

I tried various combinations on my test machine and noticed the following

pattern. Setting the max-src-conn to be twice the max-src-conn-rate seems to

work better at stopping brute-force SSH attempts. Probably there is no

rational basis for this observation and there must be some other explanation.

I did try a few combinations and it seemed to have had a positive impact in

getting the IP address to the sshd_attackers table at the right

max-src-conn-rate.
So I am wondering if
pass in log proto tcp from any to any port ssh keep state (max-src-conn 6

max-src-conn-rate 3/30, overload  flush global)
would be an appropriate thing for you to try.
Anyways, hope this helps in some way.
--

Vijay Sankar, M.Eng., P.Eng.

President & CEO

ForeTell Technologies Limited

59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6

Phone: +1 204 885 9535, E-Mail: vsankar@foretell.ca