General discussion

Locked

pfctl freebsd firewall filter question

By DanLM ·
Ok, on my home FreeBSD machine I have had a constant problem of ssh brute force attacks. I have dealt with this in a three prong approach. I use nothing but public/private keys with ssh and you can't log in with any id other then that way. I wrote a shell script that parses the auth.log and pfctl firewalls anyone that tries to connect with the same ip and has too many illegal log in attempts. This runs every 2 minutes from the crontab, and works. I also upgraded FreeBSD to 6.1 so that I could get the latest release ported over of the pfctl firewall. This includes a throttle mechanism. Ie, max-src-conn and max-src-conn-rate.

Ok, here is my question. As i understand max-src-conn - is the number of simultaneous connections you allow from one host. And max-src-conn-rate is the rate of new connections allowed from any single host, number of connections in a set time frame. seconds

Ok, I have added the following lines to my firewall rules: max-src-conn 10, max-src-conn-rate 5/5, overload <floodtable> flush

This works, but not in the manner that I thought it would. I thought with that rule I would either shut down a brute force attack if 10 or more connections occurred from a single ip, or if 5 connections from the same ip occurred in 5 seconds. Which ever came first.

Looking at my auth.log yesterday, I found this:
-----------------------------------------------
Oct 14 01:37:09 disone sshd[23357]: Invalid user sifak from 83.19.113.122
Oct 14 01:37:11 disone sshd[23359]: Invalid user slasher from 83.19.113.122
Oct 14 01:37:12 disone sshd[23361]: Invalid user fluffy from 83.19.113.122
Oct 14 01:37:14 disone sshd[23363]: Invalid user admin from 83.19.113.122
Oct 14 01:37:16 disone sshd[23365]: Invalid user test from 83.19.113.122
Oct 14 01:37:17 disone sshd[23367]: Invalid user guest from 83.19.113.122
Oct 14 01:37:19 disone sshd[23369]: Invalid user webmaster from 83.19.113.122
Oct 14 01:37:22 disone sshd[23374]: Invalid user oracle from 83.19.113.122
Oct 14 01:37:27 disone sshd[23376]: Invalid user library from 83.19.113.122
----------------------------------------------
Checking my pfctl.log, I find this
@8 block drop in log quick from <floodtable:1> to any
83.19.113.122
Meaning it worked, but if you look at the auth.log. It looks like that rule choked that attempt at 10 log ins, and not in 5 attempts in 5 seconds. Which I would have thought is where it should have been stopped based on the time stamps in the auth.log.

Thoughts on this????

Dan

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

forget this, I can't bloody see

by DanLM In reply to pfctl freebsd firewall fi ...

The time stamps were over 5 second intervals for the auth.log entries. The correct portion of the firewall rule did pick up.

Damn, I really can be bloody stupid.

dan

Collapse -

Just for the sake of arguement

by jdclyde In reply to forget this, I can't bloo ...

I will agree, this time...... :0


Collapse -

lol, its good to see someone agree's

by DanLM In reply to Just for the sake of argu ...

Related Discussions

Related Forums