From owner-freebsd-pf@FreeBSD.ORG  Mon May 26 07:05:29 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6D1B71065678
	for <freebsd-pf@freebsd.org>; Mon, 26 May 2008 07:05:29 +0000 (UTC)
	(envelope-from elliott@c7.ca)
Received: from mail.c7.ca (mail.c7.ca [66.207.198.232])
	by mx1.freebsd.org (Postfix) with ESMTP id 0622D8FC15
	for <freebsd-pf@freebsd.org>; Mon, 26 May 2008 07:05:28 +0000 (UTC)
	(envelope-from elliott@c7.ca)
Received: (qmail 11993 invoked by uid 89); 26 May 2008 07:05:23 -0000
Received: by simscan 1.2.0 ppid: 11986, pid: 11988, t: 0.1499s
	scanners: clamav: 0.90.1/m:43
Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10)
	by 10.1.1.32 with ESMTPA; 26 May 2008 07:05:23 -0000
From: Elliott Perrin <elliott@c7.ca>
To: "John ." <comp.john@googlemail.com>
In-Reply-To: <abc784790805251820x62a763aem67d262b1a103f41c@mail.gmail.com>
References: <abc784790805251820x62a763aem67d262b1a103f41c@mail.gmail.com>
Content-Type: text/plain
Date: Mon, 26 May 2008 03:04:10 -0400
Message-Id: <1211785451.91794.19.camel@kensho.c7.ca>
Mime-Version: 1.0
X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port 
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
Subject: Re: auto-blackholing/blacklisting on multiple hacking attempts
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: elliott@c7.ca
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 May 2008 07:05:29 -0000

On Mon, 2008-05-26 at 02:20 +0100, John . wrote:
> Hi,
> 
> I'm running freebsd 7-RELEASE
> 
> I see this, for example, in my auth log:
> 
> May 15 02:00:39 www sshd[9180]: Invalid user web from 201.18.232.30
> May 15 02:00:41 www sshd[9182]: Invalid user web from 201.18.232.30
> May 15 02:00:43 www sshd[9184]: Invalid user web from 201.18.232.30
> May 15 02:00:45 www sshd[9186]: Invalid user web from 201.18.232.30
> May 15 02:00:48 www sshd[9188]: Invalid user web from 201.18.232.30
> May 15 02:00:50 www sshd[9190]: Invalid user web from 201.18.232.30
> May 15 02:00:52 www sshd[9192]: Invalid user web from 201.18.232.30
> May 15 02:00:54 www sshd[9194]: Invalid user web from 201.18.232.30
> May 15 02:00:56 www sshd[9196]: Invalid user web from 201.18.232.30
> May 15 02:00:58 www sshd[9198]: Invalid user web from 201.18.232.30
> May 15 02:01:00 www sshd[9200]: Invalid user web from 201.18.232.30
> May 15 02:01:02 www sshd[9205]: Invalid user web from 201.18.232.30
> May 15 02:01:04 www sshd[9207]: Invalid user account from 201.18.232.30
> May 15 02:01:06 www sshd[9209]: Invalid user account from 201.18.232.30
> May 15 02:01:08 www sshd[9211]: Invalid user account from 201.18.232.30
> May 15 02:01:10 www sshd[9213]: Invalid user account from 201.18.232.30
> May 15 02:01:12 www sshd[9218]: Invalid user account from 201.18.232.30
> May 15 02:01:14 www sshd[9220]: Invalid user account from 201.18.232.30
> May 15 02:01:39 www sshd[9244]: Invalid user apache from 201.18.232.30
> May 15 02:01:41 www sshd[9246]: Invalid user apache from 201.18.232.30
> May 15 02:01:43 www sshd[9248]: Invalid user apache from 201.18.232.30
> May 15 02:01:45 www sshd[9250]: Invalid user apache from 201.18.232.30
> May 15 02:01:47 www sshd[9252]: Invalid user apache from 201.18.232.30
> 
> I'd like it to be so that if an IP tries to connect to sshd more than
> once in a 30 second period, that they are immediately blackholed.
> Should I be using pf for this or would it be done better in some other
> utility?
> 

In pf you could write a rule like 

pass in quick on $ext_if proto tcp from any to $some_ip_address port 22
flags S/SAFR keep state (max-src-conn 1, max-src-conn-rate 1/30,
overload <ssh_hacks> flush global) 

you would have to have setup a table named <ssh_hacks> in your
configuration and assign values to both $ext_if and $some_ip_address or
replace them with whatever values work for you. 

This rule would track connections allowing a maximum of 1 connection per
source IP address and would allow 1 connection to be initiated every 31
seconds or longer, otherwise it would add the offending IP address to
the <ssh_hacks> table and flush the global state table of all entries
from the same source IP. 

You would have to have a rule in your configuration prior to this rule
that would block traffic from source IP addresses in the ssh_hacks
table. Depending on your policies this could be a block of all services
or just ssh. Personally I use a rule like

block drop log quick from <ssh_hacks> 

but 

block drop log in quick proto tcp from <ssh_hacks> to any port 22 

would block ssh traffic from the offending IP to just ssh services on
your network. 

Beware that you can lock yourself out of your servers very quickly with
this if you do not have another rule allowing yourself access to your
machines setup earlier in your configuration. 

Cheers,
~e