Date: Fri, 15 Jun 2012 16:55:36 -0000 From: "Shiv. Nath" <prabhpal@digital-infotech.net> To: "Matthew Seaman" <m.seaman@infracaninophile.co.uk> Cc: freebsd-stable@freebsd.org Subject: Re: PF to Preventing SMTP Brute Force Attacks Message-ID: <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net> In-Reply-To: <4FDB6490.8080509@infracaninophile.co.uk> References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> <4FDB6490.8080509@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> Limiting yourself to 200 states won't protect you very much -- you tend > to get a whole series of attacks from the same IP, and that just uses > one state at a time. > > Instead, look at the frequency with which an attacker tries to connect > to you. Something like this: > > table <bruteforce> persist > > [...] > > block in log quick from <bruteforce> > > [...] > > pass in on $ext_if proto tcp \ > from any to $ext_if port $trusted_tcp_ports \ > flags S/SA keep state \ > (max-src-conn-rate 3/300, overload <bruteforce> flush global) > > Plus you'll need a cron job like this to clean up the bruteforce table, > otherwise it will just grow larger and larger: > > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null > 2>&1 > > The end result of this is that if one IP tries to connect to you more > than 3 times in 5 minutes, they will get blacklisted. I normally use > this just for ssh, so you might want to adjust the parameters > appropriately. You should also implement a whitelist for IP ranges you > control or use frequently and that will never be used for bruteforce > attacks: it is quite easy to block yourself out with these sort of rules. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW Dear Mattthew, Grateful for sending me in right direction, solution really sounds well. Does it look good configuration for "/etc/pf.conf" ? # START table bruteforce persist block in log quick from bruteforce pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload bruteforce flush global) # END AND CRON: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null 2>&1 What is the function "expire 604800" are they entries in the table? should it be -t bruteforce or -t ssh-bruteforce Thanks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98c09d7edf95e0e07910e7e5ce46accc.squirrel>