Re: Reality check: IPFW sees SSH traffic that sshd does not?



Wed, Mar 21, 2007 at 10:30:06AM -0400, Bill Moran wrote:
In response to "W. D." <WD@xxxxxxxxxxxxxxxxx>:

At 08:27 3/21/2007, Bill Moran, wrote:
I run a little script I wrote that automatically adds
failed SSH attempts to a table that blocks them from _everything_ in my
pf rules.

Do you care to share that script?

It's pretty basic, but I will share it. I've been waiting until I'd been
using it for a while to make sure there weren't any problems.

You can use the following rule that will put very fast SSH connectors
to the pf table ssh_scans:
-----
pass in quick on $iface proto tcp from any to $ip port 22 flags S/AUSPF \
keep state (max-src-conn 4, max-src-conn-rate 6/1, overload <ssh_scans> flush)
-----
and you can do whatever you like with the ssh_scans table in your pf
ruleset. It is just another option to throttle SSH scans with the pf,
though you should whitelist the good known hosts that are doing massive
numbers of SSH connections to your host. And you can use the expiretable
port to expire the entries in the ssh_scans.

Not a silver bullet, but proved to be useful at some configurations.
--
Eygene
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: Using sysctl(1) to gather resource consumption data
    ... A given child process copies over a shell script to the remote machine, ... it first checks the file that lists the hosts ... me that this might be a good time to add some more sysctlOIDs. ...
    (freebsd-performance)
  • Using sysctl(1) to gather resource consumption data
    ... So I cobbled up a Perl script to run on a data-gathering machine (that ... A given child process copies over a shell script to the remote machine, ... it first checks the file that lists the hosts ... me that this might be a good time to add some more sysctlOIDs. ...
    (freebsd-performance)
  • Re: Force password reset for administrator
    ... My script is in fact doing the same as yours. ... Is also required to set the password reset bit. ... logf.WriteLine(" Set administrator account to password changed after next ... expired, your code would configure so passwords no longer expire. ...
    (microsoft.public.scripting.vbscript)
  • Re: AD Script to set passwords to expire in 10 days
    ... I'm saying to run the script that sets the pwdLastSet attribute in scheduled maner. ... "Joe Kaplan" wrote in message ... Co-author of "The .NET Developer's Guide to Directory Services ... If you set the value to -1 and changed your domain pwd policy so that passwords expire in 10 days, then everyone's password would expire in 10 days, so that might get you what you want. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Privision User must change password at next logon, if password changed, set password never expir
    ... I am looking for help in being able to create a script that will ... To set "user must change password at next logon", ... ' Bind to OU with Distinguished Name of OU. ... ' Expire password, so user must change password at next logon. ...
    (microsoft.public.scripting.vbscript)