put this in pf.conf
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
flags S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-bruteforce> flush
global)
:)
enjoy
On 10 Jan 2008, at 21:53, Ken wrote:
A practical example, real life, last night.
I was replacing my hard drive on my home broadband OBSD firewall,
and it was taking a few minutes
to copy over the old pf.conf and enable the firewall. I had
installed the latest snapshot as a
fresh image and restarted. It took a little while to set up the
local networks, and I was connected
to the Internet, so I could download packages.
I copied over the pf.conf from my backup host and enabled it, not
thinking much more about it.
Then this morning I looked at /var/log/authlog to see stuff like this:
Jan 9 18:00:01 home-fw newsyslog[6065]: logfile turned over
Jan 9 18:03:03 home-fw sshd[29544]: Invalid user andrew from
125.16.26.123
Jan 9 18:03:03 home-fw sshd[240]: input_userauth_request: invalid
user andrew
Jan 9 18:03:03 home-fw sshd[29544]: Failed password for invalid
user andrew from 125.16.26.123 port 52447 ssh2
Jan 9 18:03:03 home-fw sshd[240]: Received disconnect from
125.16.26.123: 11: Bye Bye
Jan 9 18:03:06 home-fw sshd[19514]: Invalid user adam from
125.16.26.123
Jan 9 18:03:06 home-fw sshd[15864]: input_userauth_request:
invalid user adam
Jan 9 18:03:06 home-fw sshd[19514]: Failed password for invalid
user adam from 125.16.26.123 port 52651 ssh2
Jan 9 18:03:06 home-fw sshd[15864]: Received disconnect from
125.16.26.123: 11: Bye Bye
Jan 9 18:03:08 home-fw sshd[18110]: Invalid user trial from
125.16.26.123
Jan 9 18:03:08 home-fw sshd[22493]: input_userauth_request:
invalid user trial
Jan 9 18:03:09 home-fw sshd[18110]: Failed password for invalid
user trial from 125.16.26.123 port 52821 ssh2
Jan 9 18:03:09 home-fw sshd[22493]: Received disconnect from
125.16.26.123: 11: Bye Bye
Jan 9 18:03:11 home-fw sshd[20596]: Invalid user calendar from
125.16.26.123
Jan 9 18:03:11 home-fw sshd[8582]: input_userauth_request: invalid
user calendar
Jan 9 18:03:11 home-fw sshd[20596]: Failed password for invalid
user calendar from 125.16.26.123 port 53011 ssh2
Jan 9 18:03:12 home-fw sshd[8582]: Received disconnect from
125.16.26.123: 11: Bye Bye
Jan 9 18:03:14 home-fw sshd[22151]: Invalid user poq from
125.16.26.123
Jan 9 18:03:14 home-fw sshd[17137]: input_userauth_request:
invalid user poq
Jan 9 18:03:14 home-fw sshd[22151]: Failed password for invalid
user poq from 125.16.26.123 port 53199 ssh2
I never see anything like that, since my pf rules only allow me to
ssh back to home from my work IP range.
In the space of about 15 minutes before I enabled pf all of the
following users were tried, probably
by an automated script:
Aaliyah Aaron Aba Abel Exit Jewel
Zmeu Zmeu adam adam add adm
admin admin admin admin admin admin
admin admins admins adrian alan alex
alin alina alinus amanda andrei andrew
angel apache aron at backup bnc
bran brett cafe calendar cap cgi
ch cmd com danny data david
dulap fernando fluffy ftp games george
get guest guest hacker haxor hk
http httpd hy id ident if
info info internet irc is it
john kathi kayten ldap library linux
lp luis mail mail mailman master
max michael michael michi mikael mike
mike mysql mysql net network news
news nick octavio open oper oracle
org party paul paul pe pgsql
pgsql pl play poq postfix postmaster
print psybnc radu resin rex richard
richard robert rpm sales samba sara
search sef sex sgi sharon shell
shell shop squid ssh stan station
stef stephen steven sunny sunsun susan
suva suzuki tavi technicom telnet test
test test test test trial trib
uk unix unseen us user user
username username users web webadmin webmaster
webmaster webpop word www-data wwwrun wwwrun
yahoo za
What a cesspool the internet is! Good passwords, limit access to
where it is necessary,
and run an ironclad OS. Thanks for making it all possible.