General discussion

Locked

pfctl freebsd firewall filter question

By DanLM ·
Ok, on my home FreeBSD machine I have had a constant problem of ssh brute force attacks. I have dealt with this in a three prong approach. I use nothing but public/private keys with ssh and you can't log in with any id other then that way. I wrote a shell script that parses the auth.log and pfctl firewalls anyone that tries to connect with the same ip and has too many illegal log in attempts. This runs every 2 minutes from the crontab, and works. I also upgraded FreeBSD to 6.1 so that I could get the latest release ported over of the pfctl firewall. This includes a throttle mechanism. Ie, max-src-conn and max-src-conn-rate.

Ok, here is my question. As i understand max-src-conn - is the number of simultaneous connections you allow from one host. And max-src-conn-rate is the rate of new connections allowed from any single host, number of connections in a set time frame. seconds

Ok, I have added the following lines to my firewall rules: max-src-conn 10, max-src-conn-rate 5/5, overload <floodtable> flush

This works, but not in the manner that I thought it would. I thought with that rule I would either shut down a brute force attack if 10 or more connections occurred from a single ip, or if 5 connections from the same ip occurred in 5 seconds. Which ever came first.

Looking at my auth.log yesterday, I found this:
-----------------------------------------------
Oct 14 01:37:09 disone sshd[23357]: Invalid user sifak from 83.19.113.122
Oct 14 01:37:11 disone sshd[23359]: Invalid user slasher from 83.19.113.122
Oct 14 01:37:12 disone sshd[23361]: Invalid user fluffy from 83.19.113.122
Oct 14 01:37:14 disone sshd[23363]: Invalid user admin from 83.19.113.122
Oct 14 01:37:16 disone sshd[23365]: Invalid user test from 83.19.113.122
Oct 14 01:37:17 disone sshd[23367]: Invalid user guest from 83.19.113.122
Oct 14 01:37:19 disone sshd[23369]: Invalid user webmaster from 83.19.113.122
Oct 14 01:37:22 disone sshd[23374]: Invalid user oracle from 83.19.113.122
Oct 14 01:37:27 disone sshd[23376]: Invalid user library from 83.19.113.122
----------------------------------------------
Checking my pfctl.log, I find this
@8 block drop in log quick from <floodtable:1> to any
83.19.113.122
Meaning it worked, but if you look at the auth.log. It looks like that rule choked that attempt at 10 log ins, and not in 5 attempts in 5 seconds. Which I would have thought is where it should have been stopped based on the time stamps in the auth.log.

Thoughts on this????

Dan

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

forget this, I can't bloody see

by DanLM In reply to pfctl freebsd firewall fi ...

The time stamps were over 5 second intervals for the auth.log entries. The correct portion of the firewall rule did pick up.

Damn, I really can be bloody stupid.

dan

Collapse -

Just for the sake of arguement

by jdclyde In reply to forget this, I can't bloo ...

I will agree, this time...... :0


Collapse -

lol, its good to see someone agree's

by DanLM In reply to Just for the sake of argu ...

roflmao

Dan

Back to IT Employment Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums