Re: SSH scans vs connection ratelimiting
Just to put an end to this sillyness :)
A few days ago, I wrote:
> For months now, we're all seeing repeated bruteforce attempts on SSH.
> I've configured my pf install to ratelimit TCP connections to port 22
> and to automatically add IP-addresses that connect too fast to a table
> that's filtered:
<snip>
> This works as expected, IP-addresses are added to the 'lamers'-table
> every once in a while.
>
> However, there apparently are SSH bruteforcers that simply use one
> connection to perform a brute-force attack:
As mysteries go, this one was a PEBKAC, too. My pf config had a 'deny
all'-statement, but only for the external interface. A tunnel interface
wasn't filtered in any way and no ratelimiting was taking place for the
SSH daemon bound on that tunnel interface's address, hence the
succeeding scans.
Sorry for the confusion,
Pieter
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 16 之 16 篇):