Re: Re: Reality check: IPFW sees SSH traffic that sshd does not?

Good day!

Thu, Mar 22, 2007 at 02:04:46PM +0100, Volker wrote:
You can use the following rule that will put very fast SSH connectors
to the pf table ssh_scans:
pass in quick on $iface proto tcp from any to $ip port 22 flags S/AUSPF \
keep state (max-src-conn 4, max-src-conn-rate 6/1, overload <ssh_scans> flush)

If you replace the "flush" keyword by "flush global" would give
better results as it immediately will kill all additional
connections with that host (IP address). Without the "global"
keyword just the ssh connection causing the rule overload is being

Also a max-src-conn-rate of 6/1 (6 connections in 1 second) is IMO a
bit too friendly to those brute force script kiddies but YMMV.

I happen to make some rapid scp's that are doing about 5 or 6
connections in a minute from the ligitimate hosts, so sometimes
even the ligitimate hosts are getting blocked. And if that host has
another session to the server I do not like it to be dropped, since
then the session will be lost and I will not be able to drop the
ligitimate host from the ssh_scans manually. Whitelisting will help,
but I have no persistent list of the machines I can come from. But
your mileage may vary.

By the way, the 6/1 rule is very good when you're firewalling the
large number of clients: massive SSH scans are often hitting the
full netblock, so changing the '$ip' to '<clients_table>' above you
will get very good throttling for the entire network you're protecting.

While doing nearly the same as you did in your pf rules, I also let
a cron job run every 10 minutes and scan the auth log for login
errors. If a threshold value is being reached, the IP address gets
inserted into a pf table and gets blocked (forever). This is just a
second line of defense.

Yeah, this is also helpful. But my setup currently gives me about
4 probes from the SSH scanners and then that host gets blocked. And
the blocking for a long time (ot forever) can be not so good on the
busy public login servers -- machine can just be hacked, but rapidly
reinstalled and patched. Again, your mileage may vary.
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Strange netstat output - possible hacking attempt?
    ... >> think we can really call that 'port scanning' in any illegitimate sense. ... > out to the colo swerver, the ISP would cut the link, outgoing packets would ... "Requests per 10 seconds per host rule" and only inforcing these rules ... connections making it a WAN. ...
  • SSH Limiting -- Re: Screensaver takes too much time to fade-out...
    ... I did a little digging through my various notes and found the following for limiting SSH connections: ... limits each host to 3 connections within 5 minutes. ... But when you 'hand edit' iptables, the firewall gui gets 'upset' Also you would need similar rules for ip6tables. ...
  • Re: Alternatives for port forwarding
    ... to exceed what SSH can accomplish. ... If one user is having host A log in with a remote forward listening on ... port 10000, with the intent of logging in from host B with a local forward ... or any connections to a port on the server. ...
  • Pocket PC (iPaq 4350) fails to make wireless connection even after replacing motherboard!
    ... Established connections reset: 2 ... Host Name: localhost ... INC Vendor: High Tech Computer ... Host Name: WINDOWSMOBILE97 ...
  • Re: Error messages for remote desktop connection attempt
    ... Did you enable Remote Desktop connections on the XP Pro host? ... have you checked the EventLog on the host? ... "The net logon service on the local computer started and then ...