From owner-freebsd-stable@FreeBSD.ORG Fri Jun 15 17:11:44 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 145831065674 for ; Fri, 15 Jun 2012 17:11:44 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (xmpp.infracaninophile.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id 968418FC24 for ; Fri, 15 Jun 2012 17:11:43 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q5FHBWqZ007155 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 15 Jun 2012 18:11:32 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q5FHBWqZ007155 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1339780292; bh=/XPYw7N7QJ3Gs3LiDoNuCcM29Z5FuzcjBDu3ztqqk00=; h=Date:From:To:CC:Subject:References:In-Reply-To:Content-Type: Message-ID:Mime-Version; b=xCeFEumS/qf9K2KHAdMEe42qMjT9WISMybPZCz0M+qsHn7PVq/05C+mw4I0iUDbuQ ixpBHIp8bBbwTZApOfRti5vH+eriybCN/m8sBCi5rL+QPO4FYNvoTI8OMzM1/zfrGj FdOYMT3MJ8F5zkx03Ldo2a0SZwLiIBz+Ruvv+egU= Message-ID: <4FDB6CBD.6080900@infracaninophile.co.uk> Date: Fri, 15 Jun 2012 18:11:25 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20120601 Thunderbird/13.0 MIME-Version: 1.0 To: prabhpal@digital-infotech.net References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> <4FDB6490.8080509@infracaninophile.co.uk> <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net> In-Reply-To: <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net> X-Enigmail-Version: 1.4.2 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig9561F4F69F62165A7017EF62" X-Virus-Scanned: clamav-milter 0.97.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DKIM_ADSP_ALL,DKIM_SIGNED,T_DKIM_INVALID autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-stable@freebsd.org Subject: Re: PF to Preventing SMTP Brute Force Attacks X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jun 2012 17:11:44 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig9561F4F69F62165A7017EF62 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 15/06/2012 17:55, Shiv. Nath wrote: >=20 >> Limiting yourself to 200 states won't protect you very much -- you ten= d >> to get a whole series of attacks from the same IP, and that just uses >> one state at a time. >> >> Instead, look at the frequency with which an attacker tries to connect= >> to you. Something like this: >> >> table persist >> >> [...] >> >> block in log quick from >> >> [...] >> >> pass in on $ext_if proto tcp \ >> from any to $ext_if port $trusted_tcp_ports \ >> flags S/SA keep state \ >> (max-src-conn-rate 3/300, overload flush global) >> >> Plus you'll need a cron job like this to clean up the bruteforce table= , >> otherwise it will just grow larger and larger: >> >> */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null= >> 2>&1 >> >> The end result of this is that if one IP tries to connect to you more >> than 3 times in 5 minutes, they will get blacklisted. I normally use >> this just for ssh, so you might want to adjust the parameters >> appropriately. You should also implement a whitelist for IP ranges yo= u >> control or use frequently and that will never be used for bruteforce >> attacks: it is quite easy to block yourself out with these sort of rul= es. >> >> Cheers, >> >> Matthew >> >> -- >> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard >> Flat 3 >> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate >> JID: matthew@infracaninophile.co.uk Kent, CT11 9PW >=20 >=20 > Dear Mattthew, >=20 > Grateful for sending me in right direction, solution really sounds well= =2E > Does it look good configuration for "/etc/pf.conf" ? >=20 > # START > table bruteforce persist Watch the syntax -- it's table persist with angle brackets. > block in log quick from bruteforce >=20 > pass in on $ext_if proto tcp \ > from any to $ext_if port $trusted_tcp_ports \ > flags S/SA keep state \ > (max-src-conn-rate 3/300, overload bruteforce flush global) Again -- you need angle brackets around the table name. >=20 > # END >=20 > AND CRON: > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null > 2>&1 >=20 > What is the function "expire 604800" are they entries in the table? > should it be -t bruteforce or -t ssh-bruteforce Ooops. Yes, -t bruteforce is correct. "expire 604800" means delete entries after they've been in the table for that number of seconds (ie after one week) Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig9561F4F69F62165A7017EF62 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/bbMQACgkQ8Mjk52CukIzEDQCfadcV2Pu0hAYunUMxqxSBsFee IB0An2HzsWP74mrGnG6wmDwrbKEEAAGf =O9OG -----END PGP SIGNATURE----- --------------enig9561F4F69F62165A7017EF62--