brutal SSH attacks
Daniel Hartmeier
daniel at benzedrine.cx
Wed Feb 9 18:51:18 UTC 2011
On Tue, Feb 08, 2011 at 08:07:52PM -0500, Vadym Chepkov wrote:
> No idea, why it didn't stop after 9 attempts.
The connection rate is not calculated precisely, from pf.conf(5)
max-src-conn-rate <number> / <seconds>
Limit the rate of new connections over a time interval. The con-
nection rate is an approximation calculated as a moving average.
There is a counter, and a last-update-time.
When the first connection matches, the counter starts at zero, and the
time (one second resolution) is noted.
Whenever a subsequent connection matches, the following happens:
1) if the last-update-time is further back than <seconds> (60, in your
case), the counter is reset to zero.
2) otherwise, the counter is reduced relative to how much time has
passed since last-update-time (i.e. the counter is multiplied by
(now - last-update-time) / <seconds>
3) the counter is incremented by 1000
When the counter exceeds 1000 * <number> (9, in your case), the
max-src-conn-rate is triggered.
This works reasonably well in many cases, but may be quite inprecise,
especially when <number> is much smaller than <seconds>.
You could try max-src-conn-rate 2/5 instead.
The details can be found in pf.c, see
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c?rev=HEAD
The reason this was chosen over a more precise algorithm is that this is
very cheap CPU-wise and requires only a minimal amount of memory.
Regards,
Daniel
More information about the freebsd-pf
mailing list