Date: Fri, 15 Jun 2012 17:36:32 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: prabhpal@digital-infotech.net Cc: freebsd-stable@freebsd.org Subject: Re: PF to Preventing SMTP Brute Force Attacks Message-ID: <4FDB6490.8080509@infracaninophile.co.uk> In-Reply-To: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 15/06/2012 17:17, Shiv. Nath wrote: > Hi FreeBSD Gurus, > > > i want to use PF to Preventing SMTP Brute Force Attacks. i need some help > to understand correct syntax. > > URL Explaining this: http://www.openbsd.org/faq/pf/filter.html#stateopts > > > i expect the following behavior from the PF rule below: > > Limit the absolute maximum number of states that this rule can create to 200 > > Enable source tracking; limit state creation based on states created by > this rule only > > Limit the maximum number of nodes that can simultaneously create state to 100 > > Limit the maximum number of simultaneous states per source IP to 3 > > Solution: > int0="em0" > trusted_tcp_ports="{22,25,443,465}" > > pass in on $int0 proto tcp from any to any port $trusted_tcp_ports keep > state max 200, source-track rule, max-src-nodes 100, max-src-states 3 Limiting yourself to 200 states won't protect you very much -- you tend to get a whole series of attacks from the same IP, and that just uses one state at a time. Instead, look at the frequency with which an attacker tries to connect to you. Something like this: table <bruteforce> persist [...] block in log quick from <bruteforce> [...] pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload <bruteforce> flush global) Plus you'll need a cron job like this to clean up the bruteforce table, otherwise it will just grow larger and larger: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null 2>&1 The end result of this is that if one IP tries to connect to you more than 3 times in 5 minutes, they will get blacklisted. I normally use this just for ssh, so you might want to adjust the parameters appropriately. You should also implement a whitelist for IP ranges you control or use frequently and that will never be used for bruteforce attacks: it is quite easy to block yourself out with these sort of rules. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/bZJYACgkQ8Mjk52CukIwsmACcDKqjaXNzgxENVCRg4VXAKNnL fFQAn3YWceKOTIa56Ak6jhQz/sbvnNlc =Q6/Z -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FDB6490.8080509>