From owner-freebsd-questions@FreeBSD.ORG  Mon May  3 16:39:36 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 12D031065670
	for <freebsd-questions@freebsd.org>;
	Mon,  3 May 2010 16:39:36 +0000 (UTC)
	(envelope-from john@starfire.mn.org)
Received: from elwood.starfire.mn.org (starfire.skypoint.net [173.8.102.29])
	by mx1.freebsd.org (Postfix) with ESMTP id E10678FC0A
	for <freebsd-questions@freebsd.org>;
	Mon,  3 May 2010 16:39:35 +0000 (UTC)
Received: from elwood.starfire.mn.org (john@localhost [127.0.0.1])
	by elwood.starfire.mn.org (8.14.3/8.14.3) with ESMTP id o43GdYoC015671; 
	Mon, 3 May 2010 11:39:34 -0500 (CDT)
	(envelope-from john@elwood.starfire.mn.org)
Received: (from john@localhost)
	by elwood.starfire.mn.org (8.14.3/8.14.3/Submit) id o43GdXSv015670;
	Mon, 3 May 2010 11:39:34 -0500 (CDT) (envelope-from john)
Date: Mon, 3 May 2010 11:39:33 -0500
From: John <john@starfire.mn.org>
To: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Message-ID: <20100503163933.GA15599@elwood.starfire.mn.org>
References: <20100503144110.GA14402@elwood.starfire.mn.org>
	<4BDEF9E4.9020806@infracaninophile.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4BDEF9E4.9020806@infracaninophile.co.uk>
User-Agent: Mutt/1.4.2.3i
Cc: John <john@starfire.mn.org>, freebsd-questions@freebsd.org
Subject: Re: pf suggestions for paced attack
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2010 16:39:36 -0000

On Mon, May 03, 2010 at 05:29:24PM +0100, Matthew Seaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/05/2010 15:41:10, John wrote:
> > The script kiddies have apparently figured out that we use some
> > time-window sensitivity in our adaptive filtering.  From sshd, I've
> > been seeing "reverse mapping checking getaddrinfo ... failed" and
> > from ftpd (when I have the port open at all, which is rare), I am
> > seeing probes at about 27 second intervals.  This stays well below
> > the 3/30 (three connections in 30 seconds) sensitivity that I had
> > been using.  It took them nearly two and a half hours to make 154
> > attemps, but computers are very patient.
> > 
> > I have now changed the timing window sensivity, but it's to the
> > point now where there's a significant probability that someone could
> > lock themselves out (temporarily, at least, I do clear these tables
> > periodically) if they are having a bit of a fat-finger moment with
> > their password.
> > 
> > Anybody got any superior suggestions?
> 
> Heh.  If the attackers are forced to slow down the probe rate so
> drastically, then their chances of breaking in would be greatly reduced
> /even/ if you were using guessable passwords.  Which I shall assume you
> aren't: key based auth is what you need, or maybe OTP.  You certainly
> should not be relying on rate-adaptive blocking alone to secure your
> system -- it's more a way of preventing your log files from being
> flooded with crap -- and you've limited that quite effectively by
> forcing the attackers to slow down.  I'd not feel any necessity to
> modify the rate settings on your PF rule.
> 
> Anyhow, there is certainly a potential to lock yourself out using
> adaptive blacklisting.  If you know where your friends are going to be
> logging in from, then I'd set up a whitelist.  Something like this:
> 
> (replace with a list of the addresses / ranges you want to allow)
> 
> table <ssh-whitelist> const { \
>     192.0.2.0/24              \
> } persist
> table <ssh-bruteforce> persist
> 
> set skip on lo0
> 
> scrub in
> pass all
> 
> antispoof log quick for lo0
> block drop in log quick from <ssh-bruteforce>
> 
> pass in proto tcp from !<ssh-whitelist> to port ssh \
>      flags S/SA keep state                          \
>      (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
> pass in proto tcp from <ssh-whitelist> to port ssh  \
>      flags S/SA keep state
> 
> 	Cheers,
> 
> 	Matthew
> 
> - -- 
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                   Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
>                                                   Kent, CT11 9PW

Hi, Matthew.  Indeed, yes, you may not recall, but my rules are
based on a set that I originally got from you, and I do, in fact,
have a white list, which I should have mentioned, but some of my
users are "road warriors" and could be coming from virtually anywhere.
You're right, though - it's time to look into alternatives to
password-based authenticaion.  I think I've taken password-based
protection and rate adaptive rules to their logical limit.

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkve+eQACgkQ8Mjk52CukIzpTwCgg/NpuZjR1mnfkcBX169LB5Ih
> ykYAnjQLprMKxMtKW2IfgWNEB5bTt33Q
> =12Jn
> -----END PGP SIGNATURE-----
-- 

John Lind
john@starfire.MN.ORG