Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

freebsd-pf Digest, Vol 271, Issue 4

0 views
Skip to first unread message

freebsd-p...@freebsd.org

unread,
Dec 6, 2009, 7:00:27 AM12/6/09
to freeb...@freebsd.org
Send freebsd-pf mailing list submissions to
freeb...@freebsd.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
or, via email, send a message with subject or body 'help' to
freebsd-p...@freebsd.org

You can reach the person managing the list at
freebsd-...@freebsd.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-pf digest..."


Today's Topics:

1. Limit connections doens't work (Nico De Dobbeleer)
2. Re: Limit connections doens't work (Vitaliy Vladimirovich)


----------------------------------------------------------------------

Message: 1
Date: Sat, 5 Dec 2009 15:09:52 +0100 (CET)
From: Nico De Dobbeleer <ni...@elico-it.be>
Subject: Limit connections doens't work
To: freeb...@freebsd.org
Message-ID: <6783768.102251260022192330.JavaMail.root@zimbra-store>
Content-Type: text/plain; charset=utf-8

Hello,

As most of the public ip's my servers are constantly under bruteforce attack see example:

Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2
Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226
Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2
Dec 5 13:56:41 hosting sshd[18625]: Invalid user support from 173.10.126.226
Dec 5 13:56:43 hosting sshd[18625]: Failed password for invalid user support from 173.10.126.226 port 48676 ssh2
Dec 5 13:56:47 hosting sshd[18627]: Invalid user jnanchito from 173.10.126.226
Dec 5 13:56:50 hosting sshd[18627]: Failed password for invalid user jnanchito from 173.10.126.226 port 49122 ssh2
Dec 5 13:56:51 hosting sshd[18629]: Invalid user rtorres from 173.10.126.226
Dec 5 13:56:53 hosting sshd[18629]: Failed password for invalid user rtorres from 173.10.126.226 port 49872 ssh2
Dec 5 13:56:55 hosting sshd[18631]: Invalid user jatema from 173.10.126.226
Dec 5 13:56:57 hosting sshd[18631]: Failed password for invalid user jatema from 173.10.126.226 port 50293 ssh2
Dec 5 13:57:01 hosting sshd[18633]: Failed password for invalid user root from 173.10.126.226 port 50702 ssh2
Dec 5 13:57:04 hosting sshd[18635]: Failed password for invalid user root from 173.10.126.226 port 51154 ssh2
Dec 5 13:57:06 hosting sshd[18637]: Invalid user boss from 173.10.126.226
Dec 5 13:57:08 hosting sshd[18637]: Failed password for invalid user boss from 173.10.126.226 port 51507 ssh2
Dec 5 13:57:09 hosting sshd[18639]: Invalid user sasha from 173.10.126.226
Dec 5 13:57:11 hosting sshd[18639]: Failed password for invalid user sasha from 173.10.126.226 port 51929 ssh2
Dec 5 13:57:13 hosting sshd[18641]: Invalid user vic from 173.10.126.226
Dec 5 13:57:14 hosting sshd[18641]: Failed password for invalid user vic from 173.10.126.226 port 52321 ssh2
Dec 5 13:57:16 hosting sshd[18643]: Invalid user ranjith from 173.10.126.226
Dec 5 13:57:18 hosting sshd[18643]: Failed password for invalid user ranjith from 173.10.126.226 port 52650 ssh2
Dec 5 13:57:21 hosting sshd[18645]: Failed password for invalid user root from 173.10.126.226 port 53087 ssh2
Dec 5 13:57:25 hosting sshd[18647]: Failed password for invalid user root from 173.10.126.226 port 53447 ssh2
Dec 5 13:57:29 hosting sshd[18649]: Failed password for invalid user root from 173.10.126.226 port 53852 ssh2

Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that.
------------------------------------------------------------------------------------------------------------------
#Tables
table <abusive_ips> persist file "/etc/pf.abusive_ips.block.list"
table <brute> persist

# Rules

block quick from <abusive_ips>
block quick from <brute>


# Limit connections per IP

pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush)
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)
--------------------------------------------------------------------------------------------------------------------

The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the <brute> table.

Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15?

With kind regards,
Nico De Dobbeleer

------------------------------

Message: 2
Date: Sun, 06 Dec 2009 11:19:11 +0200
From: "Vitaliy Vladimirovich" <arte...@ukr.net>
Subject: Re: Limit connections doens't work
To: Nico De Dobbeleer <ni...@elico-it.be>
Cc: freeb...@freebsd.org
Message-ID: <E1NHDGp-...@ffe7.ukr.net>
Content-Type: text/plain; charset="windows-1251"



--- Original Message ---
From: Nico De Dobbeleer <ni...@elico-it.be>
To: freeb...@freebsd.org
Date: 5 december, 16:09:52
Subject: Limit connections doens't work

Hello,

As most of the public ip's my servers are constantly under bruteforce attack see example:

Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2
Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226
Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2
Dec 5 13:56:41 hosting sshd[18625]: Invalid user support from 173.10.126.226
Dec 5 13:56:43 hosting sshd[18625]: Failed password for invalid user support from 173.10.126.226 port 48676 ssh2
Dec 5 13:56:47 hosting sshd[18627]: Invalid user jnanchito from 173.10.126.226
Dec 5 13:56:50 hosting sshd[18627]: Failed password for invalid user jnanchito from 173.10.126.226 port 49122 ssh2
Dec 5 13:56:51 hosting sshd[18629]: Invalid user rtorres from 173.10.126.226
Dec 5 13:56:53 hosting sshd[18629]: Failed password for invalid user rtorres from 173.10.126.226 port 49872 ssh2
Dec 5 13:56:55 hosting sshd[18631]: Invalid user jatema from 173.10.126.226
Dec 5 13:56:57 hosting sshd[18631]: Failed password for invalid user jatema from 173.10.126.226 port 50293 ssh2
Dec 5 13:57:01 hosting sshd[18633]: Failed password for invalid user root from 173.10.126.226 port 50702 ssh2
Dec 5 13:57:04 hosting sshd[18635]: Failed password for invalid user root from 173.10.126.226 port 51154 ssh2
Dec 5 13:57:06 hosting sshd[18637]: Invalid user boss from 173.10.126.226
Dec 5 13:57:08 hosting sshd[18637]: Failed password for invalid user boss from 173.10.126.226 port 51507 ssh2
Dec 5 13:57:09 hosting sshd[18639]: Invalid user sasha from 173.10.126.226
Dec 5 13:57:11 hosting sshd[18639]: Failed password for invalid user sasha from 173.10.126.226 port 51929 ssh2
Dec 5 13:57:13 hosting sshd[18641]: Invalid user vic from 173.10.126.226
Dec 5 13:57:14 hosting sshd[18641]: Failed password for invalid user vic from 173.10.126.226 port 52321 ssh2
Dec 5 13:57:16 hosting sshd[18643]: Invalid user ranjith from 173.10.126.226
Dec 5 13:57:18 hosting sshd[18643]: Failed password for invalid user ranjith from 173.10.126.226 port 52650 ssh2
Dec 5 13:57:21 hosting sshd[18645]: Failed password for invalid user root from 173.10.126.226 port 53087 ssh2
Dec 5 13:57:25 hosting sshd[18647]: Failed password for invalid user root from 173.10.126.226 port 53447 ssh2
Dec 5 13:57:29 hosting sshd[18649]: Failed password for invalid user root from 173.10.126.226 port 53852 ssh2

Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that.
------------------------------------------------------------------------------------------------------------------
#Tables
table <abusive_ips> persist file "/etc/pf.abusive_ips.block.list"
table <brute> persist

# Rules

block quick from <abusive_ips>
block quick from <brute>

# Limit connections per IP

pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush)
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)
--------------------------------------------------------------------------------------------------------------------

The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the <brute> table.

Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15?

With kind regards,
Nico De Dobbeleer

_______________________________________________
freeb...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-...@freebsd.org"

� � I think you should specify

source-track rule (rule or lobal) in your rulesLike this:

pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max 10, source-track rule, max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)


See in PF FAQ

Stateful Tracking Options.


------------------------------

End of freebsd-pf Digest, Vol 271, Issue 4
******************************************

0 new messages