From owner-freebsd-pf@FreeBSD.ORG Mon May 26 21:11:35 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F0819106566C for ; Mon, 26 May 2008 21:11:35 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 63DF48FC27 for ; Mon, 26 May 2008 21:11:35 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: (qmail 7372 invoked by uid 0); 26 May 2008 20:44:54 -0000 Received: from 194.231.39.124 by www186.gmx.net with HTTP; Mon, 26 May 2008 22:44:53 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Mon, 26 May 2008 22:44:54 +0200 From: "Olli Hauer" In-Reply-To: <1211785451.91794.19.camel@kensho.c7.ca> Message-ID: <20080526204454.97610@gmx.net> MIME-Version: 1.0 References: <1211785451.91794.19.camel@kensho.c7.ca> To: elliott@c7.ca, comp.john@googlemail.com X-Authenticated: #1956535 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1/yK+daqFny40Uk/0BD1nfcV034LzzXOSSNN2LeZr MODeJSJ3//FKUcB+X1A5qhInHGBD33GKyhQQ== Content-Transfer-Encoding: 8bit X-GMX-UID: cRcIfENuTXsuecS+fGQ50rVCRzdyMoNH Cc: freebsd-pf@freebsd.org Subject: Re: auto-blackholing/blacklisting on multiple hacking attempts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 May 2008 21:11:36 -0000 > > Hi, > > > > I'm running freebsd 7-RELEASE > > > > I see this, for example, in my auth log: > > > > May 15 02:00:39 www sshd[9180]: Invalid user web from 201.18.232.30 > > May 15 02:00:41 www sshd[9182]: Invalid user web from 201.18.232.30 ... > > May 15 02:01:43 www sshd[9248]: Invalid user apache from 201.18.232.30 > > May 15 02:01:45 www sshd[9250]: Invalid user apache from 201.18.232.30 > > May 15 02:01:47 www sshd[9252]: Invalid user apache from 201.18.232.30 > > > > I'd like it to be so that if an IP tries to connect to sshd more than > > once in a 30 second period, that they are immediately blackholed. > > Should I be using pf for this or would it be done better in some other > > utility? > > > > In pf you could write a rule like > > pass in quick on $ext_if proto tcp from any to $some_ip_address port 22 > flags S/SAFR keep state (max-src-conn 1, max-src-conn-rate 1/30, > overload flush global) > > you would have to have setup a table named in your > configuration and assign values to both $ext_if and $some_ip_address or > replace them with whatever values work for you. > > This rule would track connections allowing a maximum of 1 connection per > source IP address and would allow 1 connection to be initiated every 31 > seconds or longer, otherwise it would add the offending IP address to > the table and flush the global state table of all entries > from the same source IP. > > You would have to have a rule in your configuration prior to this rule > that would block traffic from source IP addresses in the ssh_hacks > table. Depending on your policies this could be a block of all services > or just ssh. Personally I use a rule like > > block drop log quick from > > but > > block drop log in quick proto tcp from to any port 22 > > would block ssh traffic from the offending IP to just ssh services on > your network. > > Beware that you can lock yourself out of your servers very quickly with > this if you do not have another rule allowing yourself access to your > machines setup earlier in your configuration. > I have a nice script for my OpenBSD machines aviable, with some small changes it will work also on FreeBSD. The script make usage of a special table dumps and compare the addresses with a run some minutes ago (cron job) and reports the ip's per mail with the help of GeoIP. This reports make it easy to block big network ranges where you don't expect to travel ... You can get the script here: http://sorry.mine.nu/scripts/pftable_to_file.sh.txt ps: In the directoy is also an actual bf_ssh dump from one of my machines regards, olli -- Super-Aktion nur in der GMX Spieleflat: 10 Tage für 1 Euro. Über 180 Spiele downloaden und spiele: http://flat.games.gmx.de