Reality check: IPFW sees SSH traffic that sshd does not?
Volker
volker at vwsoft.com
Thu Mar 22 13:32:19 UTC 2007
Eugene,
On 12/23/-58 20:59, Eygene Ryabinkin wrote:
...
>>> Do you care to share that script?
>> It's pretty basic, but I will share it. I've been waiting until I'd been
>> using it for a while to make sure there weren't any problems.
>
> You can use the following rule that will put very fast SSH connectors
> to the pf table ssh_scans:
> -----
> pass in quick on $iface proto tcp from any to $ip port 22 flags S/AUSPF \
> keep state (max-src-conn 4, max-src-conn-rate 6/1, overload <ssh_scans> flush)
> -----
If you replace the "flush" keyword by "flush global" would give
better results as it immediately will kill all additional
connections with that host (IP address). Without the "global"
keyword just the ssh connection causing the rule overload is being
killed.
Also a max-src-conn-rate of 6/1 (6 connections in 1 second) is IMO a
bit too friendly to those brute force script kiddies but YMMV.
While doing nearly the same as you did in your pf rules, I also let
a cron job run every 10 minutes and scan the auth log for login
errors. If a threshold value is being reached, the IP address gets
inserted into a pf table and gets blocked (forever). This is just a
second line of defense.
HTH,
Volker
More information about the freebsd-security
mailing list