Yes, it more correctly needs to be one of the two following... block in log quick on $ext_if from <ssh-bruteforce> label BLOCKBRUTES pass in on $ext_if inet proto tcp \ from any to ($ext_if) port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) \ label BLOCKBRUTES
-or- pass in on $ext_if inet proto tcp \ from !<ssh-bruteforce> to ($ext_if) port ssh \ flags S/SA keep state \ (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) The block-pass pair has the advantage of logging the blocks. The pass <not><ssh-bruteforce> variant logs successful passes only. /Scott -----Original Message----- From: Raimo Niskanen <[EMAIL PROTECTED]> To: misc@openbsd.org Subject: Re: : SSH Brute Force Attacks Abound - and thanks! Date: Fri, 11 Jan 2008 11:12:00 +0100 Mailer: Mutt/1.5.9i Delivered-To: [EMAIL PROTECTED] On Fri, Jan 11, 2008 at 09:28:57AM +0000, Khalid Schofield wrote: > put this in pf.conf > Is not this missing from the recipe:? block quick from <ssh-bruteforce> > pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ > flags S/SA keep state \ > (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush > global) > > > :) > > enjoy > > > > On 10 Jan 2008, at 21:53, Ken wrote: > > >A practical example, real life, last night. > >I was replacing my hard drive on my home broadband OBSD firewall, > >and it was taking a few minutes > >to copy over the old pf.conf and enable the firewall. I had > >installed the latest snapshot as a > >fresh image and restarted. It took a little while to set up the > >local networks, and I was connected > >to the Internet, so I could download packages. > > > >I copied over the pf.conf from my backup host and enabled it, not > >thinking much more about it. > >Then this morning I looked at /var/log/authlog to see stuff like this: > > > >Jan 9 18:00:01 home-fw newsyslog[6065]: logfile turned over > >Jan 9 18:03:03 home-fw sshd[29544]: Invalid user andrew from > >125.16.26.123 > >Jan 9 18:03:03 home-fw sshd[240]: input_userauth_request: invalid > >user andrew > >Jan 9 18:03:03 home-fw sshd[29544]: Failed password for invalid > >user andrew from 125.16.26.123 port 52447 ssh2 > >Jan 9 18:03:03 home-fw sshd[240]: Received disconnect from > >125.16.26.123: 11: Bye Bye > >Jan 9 18:03:06 home-fw sshd[19514]: Invalid user adam from > >125.16.26.123 > >Jan 9 18:03:06 home-fw sshd[15864]: input_userauth_request: > >invalid user adam > >Jan 9 18:03:06 home-fw sshd[19514]: Failed password for invalid > >user adam from 125.16.26.123 port 52651 ssh2 > >Jan 9 18:03:06 home-fw sshd[15864]: Received disconnect from > >125.16.26.123: 11: Bye Bye > >Jan 9 18:03:08 home-fw sshd[18110]: Invalid user trial from > >125.16.26.123 > >Jan 9 18:03:08 home-fw sshd[22493]: input_userauth_request: > >invalid user trial > >Jan 9 18:03:09 home-fw sshd[18110]: Failed password for invalid > >user trial from 125.16.26.123 port 52821 ssh2 > >Jan 9 18:03:09 home-fw sshd[22493]: Received disconnect from > >125.16.26.123: 11: Bye Bye > >Jan 9 18:03:11 home-fw sshd[20596]: Invalid user calendar from > >125.16.26.123 > >Jan 9 18:03:11 home-fw sshd[8582]: input_userauth_request: invalid > >user calendar > >Jan 9 18:03:11 home-fw sshd[20596]: Failed password for invalid > >user calendar from 125.16.26.123 port 53011 ssh2 > >Jan 9 18:03:12 home-fw sshd[8582]: Received disconnect from > >125.16.26.123: 11: Bye Bye > >Jan 9 18:03:14 home-fw sshd[22151]: Invalid user poq from > >125.16.26.123 > >Jan 9 18:03:14 home-fw sshd[17137]: input_userauth_request: > >invalid user poq > >Jan 9 18:03:14 home-fw sshd[22151]: Failed password for invalid > >user poq from 125.16.26.123 port 53199 ssh2 > > > >I never see anything like that, since my pf rules only allow me to > >ssh back to home from my work IP range. > > > >In the space of about 15 minutes before I enabled pf all of the > >following users were tried, probably > >by an automated script: > > > >Aaliyah Aaron Aba Abel Exit Jewel > >Zmeu Zmeu adam adam add adm > >admin admin admin admin admin admin > >admin admins admins adrian alan alex > >alin alina alinus amanda andrei andrew > >angel apache aron at backup bnc > >bran brett cafe calendar cap cgi > >ch cmd com danny data david > >dulap fernando fluffy ftp games george > >get guest guest hacker haxor hk > >http httpd hy id ident if > >info info internet irc is it > >john kathi kayten ldap library linux > >lp luis mail mail mailman master > >max michael michael michi mikael mike > >mike mysql mysql net network news > >news nick octavio open oper oracle > >org party paul paul pe pgsql > >pgsql pl play poq postfix postmaster > >print psybnc radu resin rex richard > >richard robert rpm sales samba sara > >search sef sex sgi sharon shell > >shell shop squid ssh stan station > >stef stephen steven sunny sunsun susan > >suva suzuki tavi technicom telnet test > >test test test test trial trib > >uk unix unseen us user user > >username username users web webadmin webmaster > >webmaster webpop word www-data wwwrun wwwrun > >yahoo za > > > >What a cesspool the internet is! Good passwords, limit access to > >where it is necessary, > >and run an ironclad OS. Thanks for making it all possible.
