日々やってくるCharlie Rootからのセキュリティレポートを見ていると、コネクションを張ってすぐ切るようなログがたくさん出ていて、sshguardでブロックできていないようなので、pfで対策してみた。
Feb 10 14:13:46 xxxx sshd[91606]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:13:46 xxxx sshd[91608]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:13:47 xxxx sshd[91610]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:14:01 xxxx sshd[91612]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:14:08 xxxx sshd[91614]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:14:11 xxxx sshd[91616]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:15:00 xxxx sshd[91618]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:16:22 xxxx sshd[91622]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:16:38 xxxx sshd[91624]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:16:51 xxxx sshd[91626]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:16:52 xxxx sshd[91628]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:17:05 xxxx sshd[91630]: fatal: Read from socket failed: Connection reset by peer [preauth] Feb 10 14:17:09 xxxx sshd[91632]: fatal: Read from socket failed: Connection reset by peer [preauth]
/etc/pf.conf に以下の行を追加。外部のIPv4アドレスからは60秒に5回までしかアクセス許可しない設定。
table <bruteforce> persist
block in quick on $ext_if from <bruteforce> to any label "ssh bruteforce"
pass in quick on $ext_if inet proto tcp from !<white4_ext> to any port 22 flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/60, overload <bruteforce> flush global)
これでしばらく様子を見てみる。