From owner-freebsd-questions@FreeBSD.ORG Fri Mar 5 16:35:09 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E4F81065672 for ; Fri, 5 Mar 2010 16:35:09 +0000 (UTC) (envelope-from john@starfire.mn.org) Received: from elwood.starfire.mn.org (starfire.skypoint.net [173.8.102.29]) by mx1.freebsd.org (Postfix) with ESMTP id 143348FC25 for ; Fri, 5 Mar 2010 16:35:08 +0000 (UTC) Received: from elwood.starfire.mn.org (john@localhost [127.0.0.1]) by elwood.starfire.mn.org (8.14.3/8.14.3) with ESMTP id o25GZ8ac018396; Fri, 5 Mar 2010 10:35:08 -0600 (CST) (envelope-from john@elwood.starfire.mn.org) Received: (from john@localhost) by elwood.starfire.mn.org (8.14.3/8.14.3/Submit) id o25GZ7Hr018395; Fri, 5 Mar 2010 10:35:07 -0600 (CST) (envelope-from john) Date: Fri, 5 Mar 2010 10:35:07 -0600 From: John To: Matthew Seaman Message-ID: <20100305163507.GA18338@elwood.starfire.mn.org> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <20100305154439.GA17456@elwood.starfire.mn.org> <4B912ADC.1040802@infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4B912ADC.1040802@infracaninophile.co.uk> User-Agent: Mutt/1.4.2.3i Cc: John , mikel king , Programmer In Training , freebsd-questions@freebsd.org Subject: pf overload for SMTP (was: Thousands of ssh probes) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2010 16:35:09 -0000 On Fri, Mar 05, 2010 at 04:01:32PM +0000, Matthew Seaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/03/2010 15:44:39, John wrote: > > Maybe I'll have to learn how to do a VPN from FreeBSD.... > > > > One thought that occurs to me is that pf tables would provide a > > direct API without having to hit a database. > > > > I think I really like this. I may have to implement it for pf. > > It should be really easy with CGI and calls to pfctl. > > There's already a mechanism whereby you can connect into a PF firewall > and have it open up extra access for you, all controlled by ssh keys. > > See: http://www.openbsd.org/faq/pf/authpf.html > > Not only that, but you can dynamically block brute force attempts to > crack SSH passwords using just PF -- no need to scan through auth.log or > use an external database. You need something like this in pf.conf: > > table persist > > [...near the top of the rules section...] > block drop in log quick on $ext_if from > > [...later in the rules section...] > pass in on $ext_if proto tcp \ > from any to $ext_if port ssh \ > flags S/SA keep state \ > (max-src-conn-rate 3/30, overload flush global) > > This adds IPs to the ssh-bruteforce table if there are too frequent > attempts to connect from them (more than 3 within 30 seconds in this > case) and so blocks all further access. > > You need to run a cron job to clear out old entries from the > ssh-bruteforce table or it will grow continually over time: > > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 86400 >/dev/null 2>&1 > > Cheers, > > Matthew Is there any reason one couldn't do something similar for SMTP? Maybe a little wider sample window, like 10/300? Or would you end up blocking too any things that you don't mean to block? Anyone played with this for SMTP? -- John Lind john@starfire.MN.ORG The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries. - Winston Churchill