pf: brute-force ssh defence no longer working in OpenBSD 6.8

Sun, 10 Jan 2021 06:48:35 -0800 

Hi folks,
I hope I'm just missing something stupid. It's been a while since I deployed public OpenBSD servers, but I've done plenty. I always use a defence in pf.conf against brute-force SSH attacks, which has served me well in the past. 


On a new machine running 6.8, this no longer appears to work. I've 
stripped it back to:


table <scanners> persist file "/etc/scanners"

block quick from <scanners>

pass quick proto tcp from any to any port ssh flags S/SA keep state \
        (max-src-conn 10, max-src-conn-rate 3/15, overload <scanners> flush 
global)

(taken directly from https://home.nuug.no/~peter/pf/en/bruteforce.html )

But: am still seeing e.g.


Jan 10 13:25:20 ns3 sshd[3233]: Failed password for invalid user admin 
from 67.1.238.105 port 47102 ssh2

Jan 10 13:25:21 ns3 last message repeated 5 times

Jan 10 13:25:21 ns3 sshd[3233]: error: maximum authentication attempts 
exceeded for invalid user admin from 67.1.238.105 port 47102 ssh2 [preauth]
Jan 10 13:25:21 ns3 sshd[3233]: Disconnecting invalid user admin 
67.1.238.105 port 47102: Too many authentication failures [preauth]
Jan 10 13:25:25 ns3 sshd[98147]: Invalid user admin from 67.1.238.105 
port 47232
Jan 10 13:25:25 ns3 sshd[98147]: Failed password for invalid user admin 
from 67.1.238.105 port 47232 ssh2

Jan 10 13:25:26 ns3 last message repeated 5 times

Jan 10 13:25:26 ns3 sshd[98147]: error: maximum authentication attempts 
exceeded for invalid user admin from 67.1.238.105 port 47232 ssh2 [preauth]
Jan 10 13:25:26 ns3 sshd[98147]: Disconnecting invalid user admin 
67.1.238.105 port 47232: Too many authentication failures [preauth]
Jan 10 13:25:32 ns3 sshd[17711]: Invalid user admin from 67.1.238.105 
port 47366



On an older server, searching for "repeated" in authlog shows a typical 
max of 2 times.



Checking the pf log, it's definitely the final (pass quick) rule which 
is letting them in. And yes, dumping the <scanners> table does indeed 
show the IP address(es) in question. So the block doesn't appear to be 
doing anything.



Am I being a dumbass? Have I missed some subtle change in pf behaviour 
which is breaking my filter?


Thanks,

Steve

--

--------------------------------------------------
          Steve Fairhead
fivetrees ltd - for the complete music service
   www: http://www.fivetrees.com
--------------------------------------------------























					Reply via email to