Date: Fri, 16 Oct 2009 08:30:06 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Aflatoon Aflatooni <aaflatooni@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Security blocking question Message-ID: <4AD820FE.4050808@infracaninophile.co.uk> In-Reply-To: <628151.64600.qm@web56204.mail.re3.yahoo.com> References: <526808.11391.qm@web56207.mail.re3.yahoo.com> <4ACFB17A.1080400@infracaninophile.co.uk> <628151.64600.qm@web56204.mail.re3.yahoo.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
Aflatoon Aflatooni wrote:
>>> Is there a way that I could configure the server so that if there are for
>> example X attempts from an IP address then for the next Y hours all the SSH
>> requests would be ignored from that IP address? There are only a handful of
>> people who have access to that server.
>>
>> Yes.
>>
>> In pf.conf:
>>
>> table persist
>>
>> [...]
>>
>> block drop in log quick on $ext_if from
>>
>> [...]
>>
>> pass in on $ext_if proto tcp \
>> from any to $ext_if port ssh \
>> flags S/SA keep state \
>> (max-src-conn-rate 3/30, overload flush global)
>>
>> plus you'll need to add a cron job to clear old entries out of the
>> ssh-bruteforce
>> table after a suitable amount of time has passed. Use expiretable to do
>> that. Note: in practice I've found that it's a *really good idea* to implement
>> a SSH whitelist of addresses that will never be bruteforce blocked like this --
>> it's very easy to lock yourself out even if everything you're doing is entirely
>> legitimate. Coding that is left as an exercise for the reader.
>>
>
> What is the best way of testing the PF rule? Is there a quick way to mimic a brute force?
> Is there a way that I could review the content of the table through pfctl -s all
To test, you need access to a machine not in your whitelist from where you
can try ssh'ing into the protected machine several times in rapid sequence.
3 times in 30s sounds quite fast, but it is actually not to hard to achieve
accidentally, especially if you use tools like rsync over SSH transport. You
should have a login concurrently from some other IP or on the console, otherwise
you will lock yourself out.
To see what IPs have been added to the ssh-bruteforce table and when and what
traffic has been blocked:
# pfctl -vv -t ssh-bruteforce -T show
To manually delete an IP from the ssh-bruteforce table:
# pfctl -t ssh-bruteforce -T delete 12.34.56.78
As noted elsewhere in this thread, instead of using expiretable, you can run this
out of cron to expire addresses over a day old from the ssh-bruteforce blocklist:
# pfctl -t ssh-bruteforce -T expire 86400
The pfctl(8) man page is pretty illuminating.
Cheers,
Matthew
PS. Got to love the way that HTML-ising e-mail has deleted the table name
from the examples above. I hope you could actually read it unmunged. Plain
text rools!
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkrYIQUACgkQ8Mjk52CukIzwxwCePmqWuFaEOmvEquId6UfRaris
5EEAoJFjcEXpoWEIRMq4h/HDKnMmmjUw
=UaBq
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AD820FE.4050808>