Re: Reality check: IPFW sees SSH traffic that sshd does not?

From: Carl Makin <carl@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 22 Mar 2007 09:57:22 +1100

On 22/03/2007, at 1:50 AM, Eygene Ryabinkin wrote:

You can use the following rule that will put very fast SSH connectors
to the pf table ssh_scans:
-----
pass in quick on $iface proto tcp from any to $ip port 22 flags S/ AUSPF \
keep state (max-src-conn 4, max-src-conn-rate 6/1, overload <ssh_scans> flush)
-----

Interesting, I really must get off my ass and look closely at pf.

I use the Simple Event Correlater (sec, in ports) to parse the auth logfile and add ipfw rules blocking the originating site once it sees 3 authentication failures of any kind from a single address. One of the sec rules looks like this;

-----------------------
type=SingleWithThreshold
ptype=RegExp
pattern=Failed password for (\S+) from (\S+) port (\S+) ssh2
desc=SSH attack from $2
action=shellcmd /usr/local/bin/ipfwadd.sh "$2" ; pipe 'Failed password for $1 from $2' /usr/bin/ma
il -s 'SSH Attack from $2' me@xxxxxxxxxxxxx
window=60
thresh=3
-----------------------

ipfwadd.sh is just

/sbin/ipfw add 25 deny log tcp from $1 to any in via tun0

-----------------------

I also have a rule that emails me whenever someone successfully logs into the system.

It's not foolproof, but it helps.

Carl.

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

References:
- Reality check: IPFW sees SSH traffic that sshd does not?
  - From: David Wolfskill
- Re: Reality check: IPFW sees SSH traffic that sshd does not?
  - From: Bill Moran
- Re: Reality check: IPFW sees SSH traffic that sshd does not?
  - From: Bill Moran
- Re: Reality check: IPFW sees SSH traffic that sshd does not?
  - From: Eygene Ryabinkin

Prev by Date: Re: Reality check: IPFW sees SSH traffic that sshd does not?
Next by Date: Re: Re: Reality check: IPFW sees SSH traffic that sshd does not?
Previous by thread: Re: Reality check: IPFW sees SSH traffic that sshd does not?
Next by thread: Re: Re: Reality check: IPFW sees SSH traffic that sshd does not?
Index(es):
- Date
- Thread

Relevant Pages

Re: New word!
... picture of the flush happening in the wrong direction. ... If the answer is "back in port", you'd need an enormous holding ... tank for those 20,000 leaks. ...
(alt.usage.english)
Re: New word!
... picture of the flush happening in the wrong direction. ... If the answer is "back in port", you'd need an enormous holding ... tank for those 20,000 leaks. ...
(alt.usage.english)
Re: New word!
... Peter Moylan wrote: ... of the flush happening in the wrong direction. ... If the answer is "back in port", you'd need an enormous holding tank ...
(alt.usage.english)
Flushing a serial port - How to do??
... I would now have thought that the buffer is empty - that is that there are now no more bytes at port and a read operation will not read anything. ... I have read here somewhere that both the VISA open event and the Flush would empty the buffer. ...
(comp.lang.labview)
Adding port close delay?
... I have a printer which is connected via a virtual COM port ... The print spooler is told to print to this port ... The 'flush' part returns success after the local COM port buffers ...
(microsoft.public.windowsxp.print_fax)