On Fri, Jan 11 2008 at 47:11, Peter N. M. Hansteen wrote: > Claer <[EMAIL PROTECTED]> writes: > > > I always hesitate to use this trick. Could you please develop more the > > implications of this method? Is it still effective? > Yes, it's still effective. You need to put in whatever values you > feel are appropriate for your network and users. In Lars' example, Sorry for not being that clear. I was talking about auto mailing whois address block abuse contacts. I already uses rate filtering. Its true that this method is still effective. Some bots starts to distribute the attacks, so the effectiveness is eroding with time. For the record, I also tried the os fingerprint trick. This one is not effective for ssh bruteforce but for antispam. For the moment, only windows 2000 os is matched frequently (around once a day for my dsl connection).
Anyway, thanks for your long explanation :) Regards, > > > pass in on $ext_if proto tcp to ($ext_if) port ssh > > flags S/SA keep state (max-src-conn 4, \ > > max-src-conn-rate 2/60, overload <bruteforce> \ > > flush global) > > any host with more than 4 simultaneous ssh connections OR that > connects more than twice during any 60-second period has all their > existing connections terminated, their address put into the bruteforce > table and their address no longer matches the criteria for the pass > rule. Those values are low enough that you might risk tripping up > legitimate connections if there are enough users coming in from behind > a NATing gateway, but that scenario may not be relevant for your case. > > What happens to connections from addresses in the bruteforce table is > up to you, but I suspect a rule involving 'block quick' is very > common. And yes, it's in the tutorial[1] and covered in that little > book of mine[2]. > > - Peter > > [1] http://home.nuug.no/~peter/pf/en/bruteforce.html goes right to > this topic, http://home.nuug.no/~peter/pf/ for a choice of formats > > [2] http://nostarch.com/pf.htm > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
