From owner-freebsd-questions@FreeBSD.ORG Fri Oct 16 19:12:00 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36E7E106568F for ; Fri, 16 Oct 2009 19:12:00 +0000 (UTC) (envelope-from aaflatooni@yahoo.com) Received: from web56206.mail.re3.yahoo.com (web56206.mail.re3.yahoo.com [216.252.110.215]) by mx1.freebsd.org (Postfix) with SMTP id D2DDE8FC13 for ; Fri, 16 Oct 2009 19:11:59 +0000 (UTC) Received: (qmail 69197 invoked by uid 60001); 16 Oct 2009 19:11:59 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1255720319; bh=s8OatyLzrXTEsV+14Qjio9OW2PfqnErKDj5KKqWrKbY=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=iB1uYloc1ceOM+Wzf5/0nOJpBsBaiJ/Fdp7e3NQSUCTxjsntF1MeV9M8wBnElOK1XJ+04KgEPhv1ktA+oa+i4kKbJc+vFWjbml5XKIZJyzuUJX7N/x4b9hgyjgFQaka0lP4Rwz8Faa+4qgEvG+/IxmoIgMa3k2+izn+oyfjkcUQ= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=rjwgCMEdbjs7KGNShaZrZcaEh/x5ifJeiE+oEPbVDLxxCeyf/tDj9fQC4c8B8T8wShpD/RTyt4smAAPE806VAYkf5PkxvkaDMXzGY/GHy9qUWOylq0Cs8NfUIqZQ7MrG4n8NuJgm+tuXbZxL88KpcPL37xtEWydC7FBh7lWVgeA=; Message-ID: <99934.58817.qm@web56206.mail.re3.yahoo.com> X-YMail-OSG: DAyYo0QVM1mOK6ATQbvwn90zs4.GzYPoUJKcoU671YhjUumtXYmFuS.OxO1FiYxq3fWzPNytZRV823UMTbIJFQK2erc4uhmU.J8QNlxh0xnVX2YS.fkdyxx8tIos8CozUw6FrEIOFCnYKO2uRHrss_k_v2eSna9BmJ.8WmF7.k.2crXAVplFHG3DwBeh5sH9Q0N4qA3OYryShj4_AF27PPcX0xRVQjCYtqPQ2YSHjItqJTLiaS.kIGZnH_RBH2InPokkta2zmpwd2Rol2Bi9PfF9wP_qODmWUF3OL8_rFa2CwRRxoNLLqh6SejxiohrAqkpFIPAfnWPLTb7XzWYxVx9.8DrbMkA0Brk1Q7lWPmlU2swzEyyl6S_U Received: from [67.204.12.34] by web56206.mail.re3.yahoo.com via HTTP; Fri, 16 Oct 2009 12:11:58 PDT X-Mailer: YahooMailRC/182.10 YahooMailWebService/0.7.361.3 References: <526808.11391.qm@web56207.mail.re3.yahoo.com> <4ACFB17A.1080400@infracaninophile.co.uk> <628151.64600.qm@web56204.mail.re3.yahoo.com> <4AD820FE.4050808@infracaninophile.co.uk> Date: Fri, 16 Oct 2009 12:11:58 -0700 (PDT) From: Aflatoon Aflatooni To: freebsd-questions@freebsd.org In-Reply-To: <4AD820FE.4050808@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Security blocking question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Oct 2009 19:12:00 -0000 > Aflatoon Aflatooni wrote:=0A> >>> Is there a way that I could configure t= he server so that if there are for =0A> >> example X attempts from an IP ad= dress then for the next Y hours all the SSH =0A> requests would be ignored = from that IP address? There are only a handful of =0A> people who have acce= ss to that server.=0A> >> =0A> >> Yes.=0A> >> =0A> >> In pf.conf:=0A> >> = =0A> >> table persist=0A> >> =0A> >> [...]=0A> >> =0A> >> block drop in log= quick on $ext_if from =0A> >> [...]=0A> >> =0A> >> pass in on $ext_if prot= o tcp=A0 =A0 =A0 \=0A> >>=A0 =A0 from any to $ext_if port ssh \=0A> >>=A0 = =A0 flags S/SA keep state=A0 =A0 =A0 =A0 \=0A> >>=A0 =A0 (max-src-conn-rate= 3/30, overload flush global)=0A> >> =0A> >> plus you'll need to add a cron= job to clear old entries out of the =0A> ssh-bruteforce=0A> >> table after= a suitable amount of time has passed.=A0 Use expiretable to do=0A> >> that= .=A0 Note: in practice I've found that it's a *really good idea* to =0A> im= plement a SSH whitelist of addresses that will never be bruteforce blocked = =0A> like this -- it's very easy to lock yourself out even if everything yo= u're doing =0A> is entirely legitimate.=A0 Coding that is left as an exerci= se for the reader.=0A> >> =0A> > =0A> > What is the best way of testing the= PF rule? Is there a quick way to mimic a =0A> brute force? Is there a way = that I could review the content of the table through =0A> pfctl -s all=0A> = =0A> To test, you need access to a machine not in your whitelist from where= you=0A> can try ssh'ing into the protected machine several times in rapid = sequence.=0A> 3 times in 30s sounds quite fast, but it is actually not to h= ard to achieve=0A> accidentally, especially if you use tools like rsync ove= r SSH transport.=A0 You=0A> should have a login concurrently from some othe= r IP or on the console, otherwise=0A> you will lock yourself out.=0A> =0A> = To see what IPs have been added to the ssh-bruteforce table and when and wh= at=0A> traffic has been blocked:=0A> =0A> =A0 # pfctl -vv -t ssh-bruteforce= -T show=0A> =0A> To manually delete an IP from the ssh-bruteforce table:= =0A> =0A> =A0 # pfctl -t ssh-bruteforce -T delete 12.34.56.78=0A> =0A> As n= oted elsewhere in this thread, instead of using expiretable, you can run = =0A> this=0A> out of cron to expire addresses over a day old from the ssh-b= ruteforce =0A> blocklist:=0A> =0A> =A0 # pfctl -t ssh-bruteforce -T expire = 86400=0A> =0A> The pfctl(8) man page is pretty illuminating.=0A> =0A> =A0= =A0=A0 Cheers,=0A> =0A> =A0=A0=A0 Matthew=0A> =0A=0AThanks,=0AI have the fo= llowing in my pf.conf:=0A=0Aext_if=3D"bge0"=0A# Public Services --=A0 smtp,= http, pop3s=0AtcpPubServices =3D "{ 25, 80, 995 }"=0Aset timeout { interva= l 10, frag 30 }=0Aset timeout { tcp.first 120, tcp.opening 30, tcp.establis= hed 86400 }=0Aset timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 = }=0Aset limit { states 10000, frags 5000 }=0A#set loginterface none=0Aset o= ptimization normal=0Aset block-policy drop=0A#set require-order yes=0A#set = fingerprints "/etc/pf.os"=0Aset skip on lo0=0A# Normalization: reassemble f= ragments and resolve or reduce traffic ambiguities.=0Ascrub in all=0A=0Apas= s out all=0Ablock in log all=0Atable { }=0Ablock in quick f= rom to any=0Apass in on $ext_if inet proto tcp from any to = any port $tcpPubServices flags S/SA synproxy state=0Apass in on $ext_if ine= t proto tcp from any to any port ssh modulate state (source-track rule max-= src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60 overload = flush global)=0A=0A=0AAnd I have tried to make a lot of ssh connections to = the box and killing them with ctrl-c or bad-password but nothing gets added= to the table. There isn't anything in the log either. How would I go about= figuring out what is wrong?=0A=0AThanks=0A=0A=0A