brutal SSH attacks
Helmut Schneider
jumper99 at gmx.de
Wed Feb 9 00:01:39 UTC 2011
>> Check your pflog. The ruleset itself seems fine (if it is complete and
>> you did not forget to post
>> a vital part). We also can assume that pf is enabled, can we?
>
> What should I be looking for in pflog? I can't find anything ssh related.
> I posted full ruleset too.
[...]
> [root at castor /var/log]# for log in pflog.?.bz2 ; do bzcat
> $log|tcpdump -r - port ssh ; done
> reading from file -, link-type PFLOG (OpenBSD pflog file)
> reading from file -, link-type PFLOG (OpenBSD pflog file)
> reading from file -, link-type PFLOG (OpenBSD pflog file)
> reading from file -, link-type PFLOG (OpenBSD pflog file)
Well...
> block drop in quick from <abusive_hosts> to any
> pass quick inet proto tcp from any to 38.X.X.X port = ssh flags S/SA keep
> state (source-track rule, max-src-conn 10, max-src-conn-rate 9/60,
> overload <abusive_hosts> flush global, src.track 60)
"block drop in quick log..." and "pass quick inet proto log" might be
useful. BTW, what version of FreeBSD are you using? The machine isn't
multi-homed, is it?
More information about the freebsd-pf
mailing list