Date: Fri, 16 Oct 2009 12:11:58 -0700 (PDT) From: Aflatoon Aflatooni <aaflatooni@yahoo.com> To: freebsd-questions@freebsd.org Subject: Re: Security blocking question Message-ID: <99934.58817.qm@web56206.mail.re3.yahoo.com> In-Reply-To: <4AD820FE.4050808@infracaninophile.co.uk> References: <526808.11391.qm@web56207.mail.re3.yahoo.com> <4ACFB17A.1080400@infracaninophile.co.uk> <628151.64600.qm@web56204.mail.re3.yahoo.com> <4AD820FE.4050808@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> Aflatoon Aflatooni wrote:=0A> >>> Is there a way that I could configure t=
he server so that if there are for =0A> >> example X attempts from an IP ad=
dress then for the next Y hours all the SSH =0A> requests would be ignored =
from that IP address? There are only a handful of =0A> people who have acce=
ss to that server.=0A> >> =0A> >> Yes.=0A> >> =0A> >> In pf.conf:=0A> >> =
=0A> >> table persist=0A> >> =0A> >> [...]=0A> >> =0A> >> block drop in log=
quick on $ext_if from =0A> >> [...]=0A> >> =0A> >> pass in on $ext_if prot=
o tcp=A0 =A0 =A0 \=0A> >>=A0 =A0 from any to $ext_if port ssh \=0A> >>=A0 =
=A0 flags S/SA keep state=A0 =A0 =A0 =A0 \=0A> >>=A0 =A0 (max-src-conn-rate=
3/30, overload flush global)=0A> >> =0A> >> plus you'll need to add a cron=
job to clear old entries out of the =0A> ssh-bruteforce=0A> >> table after=
a suitable amount of time has passed.=A0 Use expiretable to do=0A> >> that=
.=A0 Note: in practice I've found that it's a *really good idea* to =0A> im=
plement a SSH whitelist of addresses that will never be bruteforce blocked =
=0A> like this -- it's very easy to lock yourself out even if everything yo=
u're doing =0A> is entirely legitimate.=A0 Coding that is left as an exerci=
se for the reader.=0A> >> =0A> > =0A> > What is the best way of testing the=
PF rule? Is there a quick way to mimic a =0A> brute force? Is there a way =
that I could review the content of the table through =0A> pfctl -s all=0A> =
=0A> To test, you need access to a machine not in your whitelist from where=
you=0A> can try ssh'ing into the protected machine several times in rapid =
sequence.=0A> 3 times in 30s sounds quite fast, but it is actually not to h=
ard to achieve=0A> accidentally, especially if you use tools like rsync ove=
r SSH transport.=A0 You=0A> should have a login concurrently from some othe=
r IP or on the console, otherwise=0A> you will lock yourself out.=0A> =0A> =
To see what IPs have been added to the ssh-bruteforce table and when and wh=
at=0A> traffic has been blocked:=0A> =0A> =A0 # pfctl -vv -t ssh-bruteforce=
-T show=0A> =0A> To manually delete an IP from the ssh-bruteforce table:=
=0A> =0A> =A0 # pfctl -t ssh-bruteforce -T delete 12.34.56.78=0A> =0A> As n=
oted elsewhere in this thread, instead of using expiretable, you can run =
=0A> this=0A> out of cron to expire addresses over a day old from the ssh-b=
ruteforce =0A> blocklist:=0A> =0A> =A0 # pfctl -t ssh-bruteforce -T expire =
86400=0A> =0A> The pfctl(8) man page is pretty illuminating.=0A> =0A> =A0=
=A0=A0 Cheers,=0A> =0A> =A0=A0=A0 Matthew=0A> =0A=0AThanks,=0AI have the fo=
llowing in my pf.conf:=0A=0Aext_if=3D"bge0"=0A# Public Services --=A0 smtp,=
http, pop3s=0AtcpPubServices =3D "{ 25, 80, 995 }"=0Aset timeout { interva=
l 10, frag 30 }=0Aset timeout { tcp.first 120, tcp.opening 30, tcp.establis=
hed 86400 }=0Aset timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 =
}=0Aset limit { states 10000, frags 5000 }=0A#set loginterface none=0Aset o=
ptimization normal=0Aset block-policy drop=0A#set require-order yes=0A#set =
fingerprints "/etc/pf.os"=0Aset skip on lo0=0A# Normalization: reassemble f=
ragments and resolve or reduce traffic ambiguities.=0Ascrub in all=0A=0Apas=
s out all=0Ablock in log all=0Atable <sshBruteForce> { }=0Ablock in quick f=
rom <sshBruteForce> to any=0Apass in on $ext_if inet proto tcp from any to =
any port $tcpPubServices flags S/SA synproxy state=0Apass in on $ext_if ine=
t proto tcp from any to any port ssh modulate state (source-track rule max-=
src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60 overload <sshBruteForce> =
flush global)=0A=0A=0AAnd I have tried to make a lot of ssh connections to =
the box and killing them with ctrl-c or bad-password but nothing gets added=
to the table. There isn't anything in the log either. How would I go about=
figuring out what is wrong?=0A=0AThanks=0A=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99934.58817.qm>