Hi openbsd people,
My PF firewall says:
tcp_services = "{ ftp, ssh, domain, www, auth, https }"
udp_services = "{ ftp, domain, ntp }"
icmp_types = "{ echoreq, unreach }"
set skip on lo
scrub in all no-df random-id
block all
pass in quick on lo0
pass out quick on lo0
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto icmp all icmp-type $icmp_types keep state
pass in proto tcp from any to any port ssh keep state (max-src-conn 3,
max-src-conn-rate 2/30, overload <bruteforce> flush global)
pass out proto tcp to any port $tcp_services keep state
pass out proto tcp to any port 5999 keep state
pass out proto udp to any port $udp_services
pfctl -sr gives:
pass in proto tcp from any to any port = ssh flags S/SA keep state
(source-track rule, max-src-conn 3, max-src-conn-rate 2/30, overload
<bruteforce> flush global, src.track 30)
However I see a few strange logs in my log:
Feb 2 12:59:36 dual sshd[12862]: Did not receive identification string from
60.190.60.78
Feb 2 13:02:04 dual sshd[12879]: Invalid user PlcmSpIp from 60.190.60.78
Feb 2 13:02:08 dual sshd[12881]: Invalid user plcmspip from 60.190.60.78
Feb 2 15:36:42 dual sshd[13139]: reverse mapping checking getaddrinfo for
121.242.15.135.static-kolkata.vsnl.net.in [121.242.15.135] failed - POSSIBLE
BREAK-IN ATTEMPT!
Feb 2 15:36:42 dual sshd[13139]: User root from 121.242.15.135 not allowed
because not listed in AllowUsers
Feb 2 15:36:45 dual sshd[13141]: reverse mapping checking getaddrinfo for
121.242.15.135.static-kolkata.vsnl.net.in [121.242.15.135] failed - POSSIBLE
BREAK-IN ATTEMPT!
Feb 2 15:36:45 dual sshd[13141]: User root from 121.242.15.135 not allowed
because not listed in AllowUsers
Feb 2 22:57:55 dual sshd[13910]: Did not receive identification string from
63.119.11.119
Feb 2 23:01:13 dual sshd[13929]: Invalid user gamefiles from 63.119.11.119
Feb 2 23:01:14 dual sshd[13931]: Invalid user ts from 63.119.11.119
What should I change in my pf.conf file to also gt rid of those lines?
Feb 2 12:59:36 dual sshd[12862]: Did not receive identification string from
60.190.60.78
Feb 2 13:02:04 dual sshd[12879]: Invalid user PlcmSpIp from 60.190.60.78
Feb 2 13:02:08 dual sshd[12881]: Invalid user plcmspip from 60.190.60.78
or to get rid of these lines?
Feb 2 15:36:42 dual sshd[13139]: reverse mapping checking getaddrinfo
for 121.242.15.135.static-kolkata.vsnl.net.in [121.242.15.135] failed -
POSSIBLE BREAK-IN ATTEMPT!
Feb 2 15:36:42 dual sshd[13139]: User root from 121.242.15.135 not allowed
because not listed in AllowUsers
Feb 2 15:36:45 dual sshd[13141]: reverse mapping checking getaddrinfo
for 121.242.15.135.static-kolkata.vsnl.net.in [121.242.15.135] failed -
POSSIBLE BREAK-IN ATTEMPT!
or to get rid of these lines?
Feb 2 22:57:55 dual sshd[13910]: Did not receive identification string from
63.119.11.119
Feb 2 23:01:13 dual sshd[13929]: Invalid user gamefiles from 63.119.11.119
Feb 2 23:01:14 dual sshd[13931]: Invalid user ts from 63.119.11.119
1) Will max-src-conn 1 be a better value?
2) Why are those ip-address not added to the bruteforce table? My
max-src-conn-rate 2/30 implies 1 in 15 seconds and the rate for ip 60.190.60.78
is already 2 in 4 seconds, so I would guess that this ip-address would go into
bruteforce.
Thanks in advanced,
Robert
