Re: SSH brute force attacks no longer being caught by PF rule

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: David Newman

Subject: Re: SSH brute force attacks no longer being caught by PF rule

Date: Wednesday, August 8, 2007 - 10:26 am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 6/27/07 10:39 PM, Daniel Ouellet wrote:
quoted text> Steve B wrote:
>> The rule I've had in my pf.conf file to catch and block forceful SSH
>> attempts no longer appears to be working. I see the entries in my
>> authlog,
>> but the IPs are no longer getting added to my table. I suspect I screwed
>> something  up, but so far I am at a loss to see where. Could someone pass
>> another set of eyes over the relevant parts of my pf.conf?
> 
> Put quickly as an example, but you can try:
> 
> # Define some variable for clarity
> SSH_LIMIT="(max-src-conn-rate 3/30, overload <scanners> flush global)"
> 
> ## SSH Hackers - blocked IPs
> table <scanners> persist file "/etc/tables/scanners"
> 
> # Block ssh access to bad ssh scanner
> block drop in log quick on $ext_if inet proto tcp \
>    from <scanners> to any port ssh
> 
> # Allow quick valid traffic to ssh but log all attempts as well
> pass in log quick on $ext_if inet proto tcp from ! <scanners> \
>    to $ext_if port ssh flags S/SA keep state \
>    $SSH_LIMIT
> 

I've added something like this to pf.conf but it's only partially
successful. I would appreciate any clues as to why it's not blocking all
brute-force attempts.

On an OBSD 4.1 box, here's what I added to pf.conf ($unpro is the
Internet-facing interface):

#####

# Define limit of ssh connection rates
SSH_LIMIT="(max-src-conn-rate 3/30, overload <scanners> flush global)"
# SSH scanners - blocked IPs
table <scanners> persist

block drop in log quick on $unpro inet proto tcp \
  from <scanners> to any port ssh


# Allow quick valid traffic to ssh but log all attempts as well
pass in log quick on $unpro inet proto tcp from ! <scanners> \
   to $unpro port ssh $SSH_LIMIT

#####

And it appears to be working, at least in part:

dnewman@fw17 ~ 501$ sudo pfctl -t scanners -T show
   61.146.178.13
   61.189.145.103
   67.76.237.190
   161.200.144.108
   193.254.31.194

#####

But some hosts on the protected side of the firewall still report
brute-force ssh login attempts exceeding the 3/30 rate:

Aug  7 10:16:00 mail sshd[21608]: Invalid user trash from 201.18.81.8
Aug  7 10:16:08 mail sshd[21610]: Invalid user aaron from 201.18.81.8
Aug  7 10:16:11 mail sshd[21612]: Invalid user gt05 from 201.18.81.8
Aug  7 10:16:18 mail sshd[21614]: Invalid user william from 201.18.81.8
Aug  7 10:16:22 mail sshd[21616]: Invalid user stephanie from 201.18.81.8
Aug  7 10:16:59 mail sshd[21628]: Invalid user gary from 201.18.81.8
Aug  7 10:17:07 mail sshd[21632]: Invalid user guest from 201.18.81.8
Aug  7 10:17:11 mail sshd[21634]: Invalid user test from 201.18.81.8
Aug  7 10:17:17 mail sshd[21636]: Invalid user oracle from 201.18.81.8
Aug  7 10:19:24 mail sshd[21717]: Invalid user apache from 201.18.81.8
Aug  7 10:19:43 mail sshd[21723]: Invalid user lab from 201.18.81.8
Aug  7 10:19:55 mail sshd[21729]: Invalid user oracle from 201.18.81.8
Aug  7 10:20:00 mail sshd[21736]: Invalid user svn from 201.18.81.8
Aug  7 10:20:06 mail sshd[21745]: Invalid user iraf from 201.18.81.8
Aug  7 10:20:13 mail sshd[21747]: Invalid user swsoft from 201.18.81.8
Aug  7 10:20:18 mail sshd[21749]: Invalid user production from 201.18.81.8
Aug  7 10:20:23 mail sshd[21751]: Invalid user guest from 201.18.81.8
Aug  7 10:20:28 mail sshd[21753]: Invalid user gast from 201.18.81.8
Aug  7 10:20:34 mail sshd[21755]: Invalid user gast from 201.18.81.8
Aug  7 10:20:40 mail sshd[21762]: Invalid user oliver from 201.18.81.8
Aug  7 10:20:45 mail sshd[21767]: Invalid user sirsi from 201.18.81.8
Aug  7 10:20:50 mail sshd[21769]: Invalid user nagios from 201.18.81.8
Aug  7 10:20:55 mail sshd[21771]: Invalid user nagios from 201.18.81.8
Aug  7 10:20:59 mail sshd[21773]: Invalid user nagios from 201.18.81.8

Thanks in advance for suggestions as to how to reduce these kind of
login attempts.

dn
iD8DBQFGufyzyPxGVjntI4IRAty2AJ9WDCqLqkWyhx/KuciGINow6Upb5wCfUuP+
GfZ8lnaun1QPItnFK5c4MNU=
=tjbD
-----END PGP SIGNATURE-----

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

SSH brute force attacks no longer being caught by PF rule, Steve B, (Wed Jun 27, 9:54 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Daniel Ouellet, (Wed Jun 27, 10:39 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Joachim Schipper, (Thu Jun 28, 7:20 am)

Re: SSH brute force attacks no longer being caught by PF rule, David Newman, (Wed Aug 8, 10:26 am)

Re: SSH brute force attacks no longer being caught by PF rule, Rob, (Wed Aug 8, 10:50 am)

Re: SSH brute force attacks no longer being caught by PF rule, Allie D., (Wed Aug 8, 10:54 am)

Re: SSH brute force attacks no longer being caught by PF rule, Daniel Cid, (Wed Aug 8, 11:20 am)

Re: SSH brute force attacks no longer being caught by PF rule, Allie D., (Wed Aug 8, 12:02 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Rob, (Wed Aug 8, 12:03 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Marc Balmer, (Wed Aug 8, 2:14 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Joachim Schipper, (Thu Aug 9, 3:22 am)

Re: SSH brute force attacks no longer being caught by PF rule, David Newman, (Thu Aug 9, 10:24 am)

Re: SSH brute force attacks no longer being caught by PF rule, David Newman, (Thu Aug 9, 10:29 am)

Re: SSH brute force attacks no longer being caught by PF rule, Joachim Schipper, (Thu Aug 9, 12:43 pm)

Re: SSH brute force attacks no longer being caught by PF rule, Stuart Henderson, (Mon Aug 13, 2:10 am)

Re: SSH brute force attacks no longer being caught by PF rule, Joachim Schipper, (Mon Aug 13, 3:14 am)

Re: SSH brute force attacks no longer being caught by PF rule, Janne Johansson, (Mon Aug 13, 4:29 am)

Re: SSH brute force attacks no longer being caught by PF rule, Stuart Henderson, (Mon Aug 13, 4:30 am)

Re: SSH brute force attacks no longer being caught by PF rule, Henning Brauer, (Mon Aug 13, 5:09 am)


linux-kernel:
Greg KH	Og dreams of kernels
Jens Axboe	[PATCH 31/33] Fusion: sg chaining support
Arnd Bergmann	Re: finding your own dead "CONFIG_" variables
Mark Brown	[PATCH 2/2] Subject: natsemi: Allow users to disable workaround for DspCfg reset
Tony Breeds	[LGUEST] Look in object dir for .config
git:
Brian Downing	Re: Git in a Nutshell guide
John Benes	Re: master has some toys
Matthias Lederhofer	[PATCH 4/7] introduce GIT_WORK_TREE to specify the work tree
Alexander Sulfrian	[RFC/PATCH] RE: git calls SSH_ASKPASS even if DISPLAY is not set
Junio C Hamano	Re: Rss produced by git is not valid xml?
git-commits-head:
Linux Kernel Mailing List	iSeries: fix section mismatch in iseries_veth
Linux Kernel Mailing List	ixbge: remove TX lock and redo TX accounting.
Linux Kernel Mailing List	ixgbe: fix several counter register errata
Linux Kernel Mailing List	b43: fix build with CONFIG_SSB_PCIHOST=n
Linux Kernel Mailing List	9p: block-based virtio client
linux-netdev:
Michael Breuer	Re: [PATCH] af_packet: Don't use skb after dev_queue_xmit()
Michael Breuer	Re: [PATCH] af_packet: Don't use skb after dev_queue_xmit()
David Daney	[PATCH 5/7] Staging: Octeon Ethernet: Convert to NAPI.
Wolfgang Grandegger	[PATCH net-next v4 1/3] can: mscan: fix improper return if dlc < 8 in start_xmi...
Amit Kumar Salecha	[PATCHv3 NEXT 2/2] NET: Add Qlogic ethernet driver for CNA devices
openbsd-misc:
Theo de Raadt	Re: Old IPSEC bug
Tomáš Bodžár	Problem with vpnc connection - check group password !
Insan Praja SW	Mandoc Compiling Error
Carl Roberso	Re: Cannot change MTU of carp interface?
Richard Daemon	Re: booting openbsd on eee without cd-rom