From owner-freebsd-stable@FreeBSD.ORG Fri Jun 15 16:36:48 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DA639106566B for ; Fri, 15 Jun 2012 16:36:48 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (black-earth.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id 69F978FC0C for ; Fri, 15 Jun 2012 16:36:48 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q5FGad8K006434 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 15 Jun 2012 17:36:39 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q5FGad8K006434 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1339778199; bh=G4u3eYnCn7tW7HRq5G8K3Mlgqia3ixMj3HHE94cUaOM=; h=Date:From:To:CC:Subject:References:In-Reply-To:Content-Type: Message-ID:Mime-Version; b=W/za4JNyeWGtMETjDM98muy59YZ5Q+HjCLAt6AoRXi+6s0u9pxDTOa/iSs51279Xw ZDjUJsfdxsVzMloD+Qd6u/frbWi9OG90ZljLqZ7ooB6Bkr0IWeAZdO1uIwUM20ghFg DC/ljK7IBO5LQaWnAJ6BuFAqE9u5by57YRn+ZIyM= Message-ID: <4FDB6490.8080509@infracaninophile.co.uk> Date: Fri, 15 Jun 2012 17:36:32 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20120601 Thunderbird/13.0 MIME-Version: 1.0 To: prabhpal@digital-infotech.net References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> In-Reply-To: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> X-Enigmail-Version: 1.4.2 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigA9954C897EE469BFAD1BEC60" X-Virus-Scanned: clamav-milter 0.97.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_ADSP_ALL,DKIM_SIGNED,T_DKIM_INVALID autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-stable@freebsd.org Subject: Re: PF to Preventing SMTP Brute Force Attacks X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2012 16:36:49 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA9954C897EE469BFAD1BEC60 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 15/06/2012 17:17, Shiv. Nath wrote: > Hi FreeBSD Gurus, >=20 >=20 > i want to use PF to Preventing SMTP Brute Force Attacks. i need some he= lp > to understand correct syntax. >=20 > URL Explaining this: http://www.openbsd.org/faq/pf/filter.html#stateopt= s >=20 >=20 > i expect the following behavior from the PF rule below: >=20 > Limit the absolute maximum number of states that this rule can create t= o 200 >=20 > Enable source tracking; limit state creation based on states created by= > this rule only >=20 > Limit the maximum number of nodes that can simultaneously create state = to 100 >=20 > Limit the maximum number of simultaneous states per source IP to 3 >=20 > Solution: > int0=3D"em0" > trusted_tcp_ports=3D"{22,25,443,465}" >=20 > pass in on $int0 proto tcp from any to any port $trusted_tcp_ports keep= > state max 200, source-track rule, max-src-nodes 100, max-src-states 3 Limiting yourself to 200 states won't protect you very much -- you tend to get a whole series of attacks from the same IP, and that just uses one state at a time. Instead, look at the frequency with which an attacker tries to connect to you. Something like this: table persist [...] block in log quick from [...] pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload flush global) Plus you'll need a cron job like this to clean up the bruteforce table, otherwise it will just grow larger and larger: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null 2>= &1 The end result of this is that if one IP tries to connect to you more than 3 times in 5 minutes, they will get blacklisted. I normally use this just for ssh, so you might want to adjust the parameters appropriately. You should also implement a whitelist for IP ranges you control or use frequently and that will never be used for bruteforce attacks: it is quite easy to block yourself out with these sort of rules.= Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigA9954C897EE469BFAD1BEC60 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/bZJYACgkQ8Mjk52CukIwsmACcDKqjaXNzgxENVCRg4VXAKNnL fFQAn3YWceKOTIa56Ak6jhQz/sbvnNlc =Q6/Z -----END PGP SIGNATURE----- --------------enigA9954C897EE469BFAD1BEC60--