Date: Fri, 15 Jun 2012 18:11:25 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: prabhpal@digital-infotech.net Cc: freebsd-stable@freebsd.org Subject: Re: PF to Preventing SMTP Brute Force Attacks Message-ID: <4FDB6CBD.6080900@infracaninophile.co.uk> In-Reply-To: <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net> References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> <4FDB6490.8080509@infracaninophile.co.uk> <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 15/06/2012 17:55, Shiv. Nath wrote: > >> Limiting yourself to 200 states won't protect you very much -- you tend >> to get a whole series of attacks from the same IP, and that just uses >> one state at a time. >> >> Instead, look at the frequency with which an attacker tries to connect >> to you. Something like this: >> >> table <bruteforce> persist >> >> [...] >> >> block in log quick from <bruteforce> >> >> [...] >> >> pass in on $ext_if proto tcp \ >> from any to $ext_if port $trusted_tcp_ports \ >> flags S/SA keep state \ >> (max-src-conn-rate 3/300, overload <bruteforce> flush global) >> >> Plus you'll need a cron job like this to clean up the bruteforce table, >> otherwise it will just grow larger and larger: >> >> */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null >> 2>&1 >> >> The end result of this is that if one IP tries to connect to you more >> than 3 times in 5 minutes, they will get blacklisted. I normally use >> this just for ssh, so you might want to adjust the parameters >> appropriately. You should also implement a whitelist for IP ranges you >> control or use frequently and that will never be used for bruteforce >> attacks: it is quite easy to block yourself out with these sort of rules. >> >> Cheers, >> >> Matthew >> >> -- >> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard >> Flat 3 >> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate >> JID: matthew@infracaninophile.co.uk Kent, CT11 9PW > > > Dear Mattthew, > > Grateful for sending me in right direction, solution really sounds well. > Does it look good configuration for "/etc/pf.conf" ? > > # START > table bruteforce persist Watch the syntax -- it's table <bruteforce> persist with angle brackets. > block in log quick from bruteforce > > pass in on $ext_if proto tcp \ > from any to $ext_if port $trusted_tcp_ports \ > flags S/SA keep state \ > (max-src-conn-rate 3/300, overload bruteforce flush global) Again -- you need angle brackets around the table name. > > # END > > AND CRON: > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null > 2>&1 > > What is the function "expire 604800" are they entries in the table? > should it be -t bruteforce or -t ssh-bruteforce Ooops. Yes, -t bruteforce is correct. "expire 604800" means delete entries after they've been in the table for that number of seconds (ie after one week) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/bbMQACgkQ8Mjk52CukIzEDQCfadcV2Pu0hAYunUMxqxSBsFee IB0An2HzsWP74mrGnG6wmDwrbKEEAAGf =O9OG -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FDB6CBD.6080900>