[nycbug-talk] another thread: sshd zombie attacks

Charles Sprickman spork at bway.net
Wed May 20 02:43:59 EDT 2009


On Wed, 20 May 2009, Matt Juszczak wrote:

>> If you must have a box with sshd(8) widely open, then I would consider
>> running at least pf(4) on it.  It has some nice features to stop these
>> kind of attacks.
>
> Right. Exactly what I'm doing:
>
>
> ---/etc/pf.conf---
>
> if = "em0"
> pass all
> table <bruteforce> persist
> block drop in  quick on $if from <bruteforce> to any
> pass in quick on $if inet proto tcp from any to $if port 22 flags S/SA
> keep state (max-src-conn 50, max-src-conn-rate 3/30, overload <bruteforce>
> flush global)
> ---end---

For anyone else considering this, for safety's sake drop a rule like this 
above the bruteforce rule:

pass in quick on $ext_if proto tcp from <admin> to any port 22 flags S/SA 
keep state

That "admin" table may contain another jump box.  The bruteforce thing 
works well, but I have seen some weird sftp clients get tripped up on it 
somehow.

Charles

> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>



More information about the talk mailing list