From owner-freebsd-questions@FreeBSD.ORG Mon May 3 16:46:42 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D9D2F106566B for ; Mon, 3 May 2010 16:46:42 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from mail-ew0-f226.google.com (mail-ew0-f226.google.com [209.85.219.226]) by mx1.freebsd.org (Postfix) with ESMTP id 614C38FC19 for ; Mon, 3 May 2010 16:46:42 +0000 (UTC) Received: by ewy26 with SMTP id 26so668471ewy.3 for ; Mon, 03 May 2010 09:46:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=OkTu8Ym7lBYkNuFt7ATFoiYlnEhT9+k0UD0ra0g0oGg=; b=MuEhlrnt9ffusZxQxiGgKkyMjTt4ri+QzuuZ7grQbOdBmS2TBnUChg5n1HbGLOwQ0i 1IVsL7bYUheG3fWSMn3nqh34v1krW4IobUI6XQVlGB7ACNZLjpOxNisAlZkUjxhKzjQ5 oOGfCp3SZ0FCKAYk2dwnEnlnbno+fT7wBWmu0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=lvushYsrT6jS2K+G+FtvyA6BinaggQpld2DdE4YU0rj8Iyc2yE5ISAnvfnJGZMkRnX hVgENhwY5cVn9KRzvNdydoe2RTKus5IxR1O7zc56bIWNy+KeoH4lnF/w5MtKHPYwYeBk Gr7z+CanHmB/8GiXJ3juLJ2bz83vIallI4XXo= MIME-Version: 1.0 Received: by 10.213.66.142 with SMTP id n14mr1425146ebi.6.1272905196289; Mon, 03 May 2010 09:46:36 -0700 (PDT) Received: by 10.213.36.11 with HTTP; Mon, 3 May 2010 09:46:36 -0700 (PDT) In-Reply-To: <20100503163933.GA15599@elwood.starfire.mn.org> References: <20100503144110.GA14402@elwood.starfire.mn.org> <4BDEF9E4.9020806@infracaninophile.co.uk> <20100503163933.GA15599@elwood.starfire.mn.org> Date: Mon, 3 May 2010 18:46:36 +0200 Message-ID: From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: pf suggestions for paced attack X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 May 2010 16:46:42 -0000 Hello, What if you use a perl or whatever script, to look in the logs, and after a number of bad password attempts you just add that IP to the badboys table? Some programs out there are capable to do this eg. Daniel Gerzo' bruteforceblocker (you have to edit it), or bruteblock (if i'm right with the name). Regards, MB. On 3 May 2010 18:39, John wrote: > On Mon, May 03, 2010 at 05:29:24PM +0100, Matthew Seaman wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 03/05/2010 15:41:10, John wrote: > > > The script kiddies have apparently figured out that we use some > > > time-window sensitivity in our adaptive filtering. From sshd, I've > > > been seeing "reverse mapping checking getaddrinfo ... failed" and > > > from ftpd (when I have the port open at all, which is rare), I am > > > seeing probes at about 27 second intervals. This stays well below > > > the 3/30 (three connections in 30 seconds) sensitivity that I had > > > been using. It took them nearly two and a half hours to make 154 > > > attemps, but computers are very patient. > > > > > > I have now changed the timing window sensivity, but it's to the > > > point now where there's a significant probability that someone could > > > lock themselves out (temporarily, at least, I do clear these tables > > > periodically) if they are having a bit of a fat-finger moment with > > > their password. > > > > > > Anybody got any superior suggestions? > > > > Heh. If the attackers are forced to slow down the probe rate so > > drastically, then their chances of breaking in would be greatly reduced > > /even/ if you were using guessable passwords. Which I shall assume you > > aren't: key based auth is what you need, or maybe OTP. You certainly > > should not be relying on rate-adaptive blocking alone to secure your > > system -- it's more a way of preventing your log files from being > > flooded with crap -- and you've limited that quite effectively by > > forcing the attackers to slow down. I'd not feel any necessity to > > modify the rate settings on your PF rule. > > > > Anyhow, there is certainly a potential to lock yourself out using > > adaptive blacklisting. If you know where your friends are going to be > > logging in from, then I'd set up a whitelist. Something like this: > > > > (replace with a list of the addresses / ranges you want to allow) > > > > table const { \ > > 192.0.2.0/24 \ > > } persist > > table persist > > > > set skip on lo0 > > > > scrub in > > pass all > > > > antispoof log quick for lo0 > > block drop in log quick from > > > > pass in proto tcp from ! to port ssh \ > > flags S/SA keep state \ > > (max-src-conn-rate 3/30, overload flush global) > > pass in proto tcp from to port ssh \ > > flags S/SA keep state > > > > Cheers, > > > > Matthew > > > > - -- > > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > > Flat 3 > > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > > Kent, CT11 9PW > > Hi, Matthew. Indeed, yes, you may not recall, but my rules are > based on a set that I originally got from you, and I do, in fact, > have a white list, which I should have mentioned, but some of my > users are "road warriors" and could be coming from virtually anywhere. > You're right, though - it's time to look into alternatives to > password-based authenticaion. I think I've taken password-based > protection and rate adaptive rules to their logical limit. > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG/MacGPG2 v2.0.14 (Darwin) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > > > iEYEARECAAYFAkve+eQACgkQ8Mjk52CukIzpTwCgg/NpuZjR1mnfkcBX169LB5Ih > > ykYAnjQLprMKxMtKW2IfgWNEB5bTt33Q > > =12Jn > > -----END PGP SIGNATURE----- > -- > > John Lind > john@starfire.MN.ORG > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >