From owner-freebsd-questions@FreeBSD.ORG  Fri Oct 16 07:30:28 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1C353106566B
	for <freebsd-questions@freebsd.org>;
	Fri, 16 Oct 2009 07:30:28 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id A74708FC1E
	for <freebsd-questions@freebsd.org>;
	Fri, 16 Oct 2009 07:30:27 +0000 (UTC)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id
	n9G7UDbC044624; Fri, 16 Oct 2009 08:30:22 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk n9G7UDbC044624
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1255678222;
	bh=THr/xATQKKNzw/PZMfBsOWrFPKU9aAPL/7U3e1ho2WM=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4AD820FE.4050808@infracaninophile.co.uk>|Date:=20F
	ri,=2016=20Oct=202009=2008:30:06=20+0100|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|Organization:=20Infracaninophi
	le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20090823)|MIME-Vers
	ion:=201.0|To:=20Aflatoon=20Aflatooni=20<aaflatooni@yahoo.com>|CC:
	=20freebsd-questions@freebsd.org|Subject:=20Re:=20Security=20block
	ing=20question|References:=20<526808.11391.qm@web56207.mail.re3.ya
	hoo.com>=09<4ACFB17A.1080400@infracaninophile.co.uk>=20<628151.646
	00.qm@web56204.mail.re3.yahoo.com>|In-Reply-To:=20<628151.64600.qm
	@web56204.mail.re3.yahoo.com>|X-Enigmail-Version:=200.95.6|Content
	-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20prot
	ocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"--------
	----enig323FD8E88326370DFD739802";
	b=aGX3MUusxYCsySjZ1uDybql7mvHXtWFSM5K5HGqTC0Or5HgkJJntGLEvbApj6iid+
	ZTg0CUa41RJ0do5c/r+IX70I1P2ACGZbPy8sWkd0Lng8txix9UYNZz8LQ8ajsyh8hu
	sBOtjtu06bRnlXnLdyIV5EYt9k9OOdBTjIBZ1R/c=
X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host
	localhost [IPv6:::1] claimed to be
	happy-idiot-talk.infracaninophile.co.uk
Message-ID: <4AD820FE.4050808@infracaninophile.co.uk>
Date: Fri, 16 Oct 2009 08:30:06 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.23 (X11/20090823)
MIME-Version: 1.0
To: Aflatoon Aflatooni <aaflatooni@yahoo.com>
References: <526808.11391.qm@web56207.mail.re3.yahoo.com>	<4ACFB17A.1080400@infracaninophile.co.uk>
	<628151.64600.qm@web56204.mail.re3.yahoo.com>
In-Reply-To: <628151.64600.qm@web56204.mail.re3.yahoo.com>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig323FD8E88326370DFD739802"
X-Virus-Scanned: clamav-milter 0.95.2 at
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: Security blocking question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2009 07:30:28 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig323FD8E88326370DFD739802
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Aflatoon Aflatooni wrote:
>>> Is there a way that I could configure the server so that if there are=
 for=20
>> example X attempts from an IP address then for the next Y hours all th=
e SSH=20
>> requests would be ignored from that IP address? There are only a handf=
ul of=20
>> people who have access to that server.
>>
>> Yes.
>>
>> In pf.conf:
>>
>> table persist
>>
>> [...]
>>
>> block drop in log quick on $ext_if from=20
>>
>> [...]
>>
>> pass in on $ext_if proto tcp      \
>>     from any to $ext_if port ssh \
>>     flags S/SA keep state        \
>>     (max-src-conn-rate 3/30, overload flush global)
>>
>> plus you'll need to add a cron job to clear old entries out of the=20
>> ssh-bruteforce
>> table after a suitable amount of time has passed.  Use expiretable to =
do
>> that.  Note: in practice I've found that it's a *really good idea* to =
implement=20
>> a SSH whitelist of addresses that will never be bruteforce blocked lik=
e this --=20
>> it's very easy to lock yourself out even if everything you're doing is=
 entirely=20
>> legitimate.  Coding that is left as an exercise for the reader.
>>
>=20
> What is the best way of testing the PF rule? Is there a quick way to mi=
mic a brute force?=20
> Is there a way that I could review the content of the table through pfc=
tl -s all

To test, you need access to a machine not in your whitelist from where yo=
u
can try ssh'ing into the protected machine several times in rapid sequenc=
e.
3 times in 30s sounds quite fast, but it is actually not to hard to achie=
ve
accidentally, especially if you use tools like rsync over SSH transport. =
 You
should have a login concurrently from some other IP or on the console, ot=
herwise
you will lock yourself out.

To see what IPs have been added to the ssh-bruteforce table and when and =
what
traffic has been blocked:

   # pfctl -vv -t ssh-bruteforce -T show

To manually delete an IP from the ssh-bruteforce table:

   # pfctl -t ssh-bruteforce -T delete 12.34.56.78

As noted elsewhere in this thread, instead of using expiretable, you can =
run this
out of cron to expire addresses over a day old from the ssh-bruteforce bl=
ocklist:

   # pfctl -t ssh-bruteforce -T expire 86400

The pfctl(8) man page is pretty illuminating.

	Cheers,

	Matthew

PS.  Got to love the way that HTML-ising e-mail has deleted the table nam=
e
from the examples above.  I hope you could actually read it unmunged. Pla=
in
text rools!

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig323FD8E88326370DFD739802
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkrYIQUACgkQ8Mjk52CukIzwxwCePmqWuFaEOmvEquId6UfRaris
5EEAoJFjcEXpoWEIRMq4h/HDKnMmmjUw
=UaBq
-----END PGP SIGNATURE-----

--------------enig323FD8E88326370DFD739802--