|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: "ssh" attacks
From: Terry (beebum
gmail.com)
Date: Wed May 31 2006 - 14:12:33 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote:
> Right now someone is trying out each IP address I have
> with an ssh attack. Only one of those IP addresses is
> enabled for ssh. I have a "(max-src-conn-rate 100/10,
> overload <bad_guys> flush global)" on that address.
>
> I would like to know how to get pf to note these
> other atempts and block the sender. To me the obvious
> would be
>
> block in on Outsize proto tcp port ssh flags S/SA
> state (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
>
> This does not work. One gets a message that keeping state on
> a blocked run makes no sense.
>
These are the rules I use for this.
block in log quick on $ext_if from <bruteforce> to any
pass in log on $ext_if inet proto tcp from any to ($ext_if) \
port ssh flags S/SA keep state\
(max-src-conn 5, max-src-conn-rate 5/60, \
overload <bruteforce> flush global)
HTH
--
Terry
http://tyson.homeunix.org
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]