Date: Fri, 15 Jun 2012 18:11:25 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: prabhpal@digital-infotech.net Cc: freebsd-stable@freebsd.org Subject: Re: PF to Preventing SMTP Brute Force Attacks Message-ID: <4FDB6CBD.6080900@infracaninophile.co.uk> In-Reply-To: <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net> References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> <4FDB6490.8080509@infracaninophile.co.uk> <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9561F4F69F62165A7017EF62 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 15/06/2012 17:55, Shiv. Nath wrote: >=20 >> Limiting yourself to 200 states won't protect you very much -- you ten= d >> to get a whole series of attacks from the same IP, and that just uses >> one state at a time. >> >> Instead, look at the frequency with which an attacker tries to connect= >> to you. Something like this: >> >> table <bruteforce> persist >> >> [...] >> >> block in log quick from <bruteforce> >> >> [...] >> >> pass in on $ext_if proto tcp \ >> from any to $ext_if port $trusted_tcp_ports \ >> flags S/SA keep state \ >> (max-src-conn-rate 3/300, overload <bruteforce> flush global) >> >> Plus you'll need a cron job like this to clean up the bruteforce table= , >> otherwise it will just grow larger and larger: >> >> */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null= >> 2>&1 >> >> The end result of this is that if one IP tries to connect to you more >> than 3 times in 5 minutes, they will get blacklisted. I normally use >> this just for ssh, so you might want to adjust the parameters >> appropriately. You should also implement a whitelist for IP ranges yo= u >> control or use frequently and that will never be used for bruteforce >> attacks: it is quite easy to block yourself out with these sort of rul= es. >> >> Cheers, >> >> Matthew >> >> -- >> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard >> Flat 3 >> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate >> JID: matthew@infracaninophile.co.uk Kent, CT11 9PW >=20 >=20 > Dear Mattthew, >=20 > Grateful for sending me in right direction, solution really sounds well= =2E > Does it look good configuration for "/etc/pf.conf" ? >=20 > # START > table bruteforce persist Watch the syntax -- it's table <bruteforce> persist with angle brackets. > block in log quick from bruteforce >=20 > pass in on $ext_if proto tcp \ > from any to $ext_if port $trusted_tcp_ports \ > flags S/SA keep state \ > (max-src-conn-rate 3/300, overload bruteforce flush global) Again -- you need angle brackets around the table name. >=20 > # END >=20 > AND CRON: > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null > 2>&1 >=20 > What is the function "expire 604800" are they entries in the table? > should it be -t bruteforce or -t ssh-bruteforce Ooops. Yes, -t bruteforce is correct. "expire 604800" means delete entries after they've been in the table for that number of seconds (ie after one week) Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig9561F4F69F62165A7017EF62 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/bbMQACgkQ8Mjk52CukIzEDQCfadcV2Pu0hAYunUMxqxSBsFee IB0An2HzsWP74mrGnG6wmDwrbKEEAAGf =O9OG -----END PGP SIGNATURE----- --------------enig9561F4F69F62165A7017EF62--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FDB6CBD.6080900>