Date: Fri, 16 Oct 2009 08:30:06 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Aflatoon Aflatooni <aaflatooni@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Security blocking question Message-ID: <4AD820FE.4050808@infracaninophile.co.uk> In-Reply-To: <628151.64600.qm@web56204.mail.re3.yahoo.com> References: <526808.11391.qm@web56207.mail.re3.yahoo.com> <4ACFB17A.1080400@infracaninophile.co.uk> <628151.64600.qm@web56204.mail.re3.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig323FD8E88326370DFD739802
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Aflatoon Aflatooni wrote:
>>> Is there a way that I could configure the server so that if there are=
for=20
>> example X attempts from an IP address then for the next Y hours all th=
e SSH=20
>> requests would be ignored from that IP address? There are only a handf=
ul of=20
>> people who have access to that server.
>>
>> Yes.
>>
>> In pf.conf:
>>
>> table persist
>>
>> [...]
>>
>> block drop in log quick on $ext_if from=20
>>
>> [...]
>>
>> pass in on $ext_if proto tcp \
>> from any to $ext_if port ssh \
>> flags S/SA keep state \
>> (max-src-conn-rate 3/30, overload flush global)
>>
>> plus you'll need to add a cron job to clear old entries out of the=20
>> ssh-bruteforce
>> table after a suitable amount of time has passed. Use expiretable to =
do
>> that. Note: in practice I've found that it's a *really good idea* to =
implement=20
>> a SSH whitelist of addresses that will never be bruteforce blocked lik=
e this --=20
>> it's very easy to lock yourself out even if everything you're doing is=
entirely=20
>> legitimate. Coding that is left as an exercise for the reader.
>>
>=20
> What is the best way of testing the PF rule? Is there a quick way to mi=
mic a brute force?=20
> Is there a way that I could review the content of the table through pfc=
tl -s all
To test, you need access to a machine not in your whitelist from where yo=
u
can try ssh'ing into the protected machine several times in rapid sequenc=
e.
3 times in 30s sounds quite fast, but it is actually not to hard to achie=
ve
accidentally, especially if you use tools like rsync over SSH transport. =
You
should have a login concurrently from some other IP or on the console, ot=
herwise
you will lock yourself out.
To see what IPs have been added to the ssh-bruteforce table and when and =
what
traffic has been blocked:
# pfctl -vv -t ssh-bruteforce -T show
To manually delete an IP from the ssh-bruteforce table:
# pfctl -t ssh-bruteforce -T delete 12.34.56.78
As noted elsewhere in this thread, instead of using expiretable, you can =
run this
out of cron to expire addresses over a day old from the ssh-bruteforce bl=
ocklist:
# pfctl -t ssh-bruteforce -T expire 86400
The pfctl(8) man page is pretty illuminating.
Cheers,
Matthew
PS. Got to love the way that HTML-ising e-mail has deleted the table nam=
e
from the examples above. I hope you could actually read it unmunged. Pla=
in
text rools!
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig323FD8E88326370DFD739802
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkrYIQUACgkQ8Mjk52CukIzwxwCePmqWuFaEOmvEquId6UfRaris
5EEAoJFjcEXpoWEIRMq4h/HDKnMmmjUw
=UaBq
-----END PGP SIGNATURE-----
--------------enig323FD8E88326370DFD739802--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AD820FE.4050808>