Re: Reality check: IPFW sees SSH traffic that sshd does not?


Wed, Mar 21, 2007 at 10:30:06AM -0400, Bill Moran wrote:
> In response to "W. D." <WD@US-Webmasters.com>:
> 
> > At 08:27 3/21/2007, Bill Moran, wrote:
> > I run a little script I wrote that automatically adds
> > >failed SSH attempts to a table that blocks them from _everything_ in my
> > >pf rules. 
> > 
> > Do you care to share that script?
> 
> It's pretty basic, but I will share it.  I've been waiting until I'd been
> using it for a while to make sure there weren't any problems.

You can use the following rule that will put very fast SSH connectors
to the pf table ssh_scans:
-----
pass in quick   on $iface proto tcp from any to $ip port 22 flags S/AUSPF \
keep state (max-src-conn 4, max-src-conn-rate 6/1, overload <ssh_scans> flush)
-----
and you can do whatever you like with the ssh_scans table in your pf
ruleset. It is just another option to throttle SSH scans with the pf,
though you should whitelist the good known hosts that are doing massive
numbers of SSH connections to your host. And you can use the expiretable
port to expire the entries in the ssh_scans.

Not a silver bullet, but proved to be useful at some configurations.
-- 
Eygene
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"