Date: Sun, 23 Aug 2009 03:57:32 +0100 From: Peter Maxwell <peter@allicient.co.uk> To: Len Conrad <LConrad@go2france.com>, freebsd-pf@freebsd.org Subject: Re: something like bruteblock for pf? Message-ID: <7731938b0908221957g2150a2f0p3263b6cab72bdf81@mail.gmail.com> In-Reply-To: <200908230340125.SM01728@W500.Go2France.com> References: <200908230132343.SM01728@W500.Go2France.com> <a2b6592c0908221807q24e7f54aka75b561debca63eb@mail.gmail.com> <200908230340125.SM01728@W500.Go2France.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/8/23 Len Conrad <LConrad@go2france.com>: > > I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved. > Are you sure you really need this in the first place? Others may disagree, but the way I see it is pf is a packet filter, your MTA should be dealing with SMTP "attacks". Nonetheless, it's probably fairly trivial to do something like you are requesting. Create your pf ruleset with table(s) and corresponding drop rules. You can then create a simple cron script that parses the logs from your sshd, ftpd, etc and uses pfctl to replace the appropriate table with offending IPs or address ranges. You would probably have to manage timeouts in your scripts as well though. Please note that - in most situations at least - allowing applications in userland to modify firewall rules is a particularly bad idea, for obvious reasons. Good firewall practice would suggest that the box doing packet filtering does that and only that, with all external services placed in a DMZ; if an attacker then comprimises one of your services then they cannot mess about with the firewall rules, or much else for that matter. Before implementing something like this, I would urge caution: if what you're asking was actually of any use, someone else would probably have done it properly. I can't imagine how log entries from an ftp server, say, are going to be related to your smtp server security? If it's a simple connection management, then max-src-conn/max-src-conn-rate might be a more robust solution. Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7731938b0908221957g2150a2f0p3263b6cab72bdf81>