attacks are not being added to the pf table

[Daffy]

Hi. I ran into a small trouble. I changed the default ssh listening port from 22 to a 1337, added the port in pf.conf but when I tried to login with false credentials from another computer (outside the network) the ip is not being added to the table.

I changed the default port in sshd_config with

Code:

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 1337

My pf.conf is the following:

Code:

# macros
int_if="ale0"
localnet = $int_if:network
tcp_services = "{ 62222, www, 1337 }"
udp_services = "{ 62222, www, 1337 }"

# tables
table <bruteforce> persist file "/var/pf/bruteforce"

# options
set loginterface $int_if

# disable filtering on loopback interface
set skip on lo0

# block rules
block log all
block quick from <bruteforce>

# pass rules
pass inet proto tcp to $localnet port $tcp_services \
	keep state (max-src-conn 50, max-src-conn-rate 3/60, \
		overload <bruteforce> flush global)
pass out all

When I have 6 attempts with false password, with 'pfctl -t bruteforce -T show', i get an empty table.

I suspect that something is wrong with the way I changed the port...

[jggimi]

I don't see anything obviously wrong. Your test might be in error.

If you add the "log" keyword to your pass rule, # tcpdump -neti pflog0 will give you timestamps for each state creation.

[Daffy]

And back for more info. Due to work and being sick, I could not find the courage to post more info...

The strange thing is that if I remove the 1337 port from the udp_services, the table works... I tried a somehow different approach by changing the rules specifically for ssh port

Code:

# macros defined
int_if="ale0"
localnet = $int_if:network
tcp_services = "{ 62222, www, 1337 }"
udp_services = "{ 62222, www }"

# tables
table <bruteforce> persist

# options
set loginterface $int_if

# disable filtering on loopback interface
set skip on lo0

# block rules
block log all
block quick from <bruteforce>

# pass rules for ssh
pass quick proto { tcp,udp } to port 1337 \
        keep state (max-src-conn 10, max-src-conn-rate 2/60, \
                overload <bruteforce> flush global)

pass inet proto tcp to $localnet port $tcp_services \
        keep state (max-src-conn 50, max-src-conn-rate 3/60, \
                overload <bruteforce> flush global)
pass out all

Why is 'overload table' works only when I remove the ssh port from udp_services?..

[jggimi]

Quote:

Why is 'overload table' works only when I remove the ssh port from udp_services?..

Your filter rule has two protocols in a list. This is expanded into separate rules by PF, which you can see with # pfctl -sr if you are interested.

I am guessing that having the two protocols, because they are expanded, is the root cause -- it inteferes with correct stateful processing.

SSH does not use UDP, so you can eliminate the problem by removing UDP from the rule.

[Daffy]

I see what you mean.

As always, thank you.