auto-blackholing/blacklisting on multiple hacking attempts
Elliott Perrin
elliott at c7.ca
Mon May 26 07:05:29 UTC 2008
On Mon, 2008-05-26 at 02:20 +0100, John . wrote:
> Hi,
>
> I'm running freebsd 7-RELEASE
>
> I see this, for example, in my auth log:
>
> May 15 02:00:39 www sshd[9180]: Invalid user web from 201.18.232.30
> May 15 02:00:41 www sshd[9182]: Invalid user web from 201.18.232.30
> May 15 02:00:43 www sshd[9184]: Invalid user web from 201.18.232.30
> May 15 02:00:45 www sshd[9186]: Invalid user web from 201.18.232.30
> May 15 02:00:48 www sshd[9188]: Invalid user web from 201.18.232.30
> May 15 02:00:50 www sshd[9190]: Invalid user web from 201.18.232.30
> May 15 02:00:52 www sshd[9192]: Invalid user web from 201.18.232.30
> May 15 02:00:54 www sshd[9194]: Invalid user web from 201.18.232.30
> May 15 02:00:56 www sshd[9196]: Invalid user web from 201.18.232.30
> May 15 02:00:58 www sshd[9198]: Invalid user web from 201.18.232.30
> May 15 02:01:00 www sshd[9200]: Invalid user web from 201.18.232.30
> May 15 02:01:02 www sshd[9205]: Invalid user web from 201.18.232.30
> May 15 02:01:04 www sshd[9207]: Invalid user account from 201.18.232.30
> May 15 02:01:06 www sshd[9209]: Invalid user account from 201.18.232.30
> May 15 02:01:08 www sshd[9211]: Invalid user account from 201.18.232.30
> May 15 02:01:10 www sshd[9213]: Invalid user account from 201.18.232.30
> May 15 02:01:12 www sshd[9218]: Invalid user account from 201.18.232.30
> May 15 02:01:14 www sshd[9220]: Invalid user account from 201.18.232.30
> May 15 02:01:39 www sshd[9244]: Invalid user apache from 201.18.232.30
> May 15 02:01:41 www sshd[9246]: Invalid user apache from 201.18.232.30
> May 15 02:01:43 www sshd[9248]: Invalid user apache from 201.18.232.30
> May 15 02:01:45 www sshd[9250]: Invalid user apache from 201.18.232.30
> May 15 02:01:47 www sshd[9252]: Invalid user apache from 201.18.232.30
>
> I'd like it to be so that if an IP tries to connect to sshd more than
> once in a 30 second period, that they are immediately blackholed.
> Should I be using pf for this or would it be done better in some other
> utility?
>
In pf you could write a rule like
pass in quick on $ext_if proto tcp from any to $some_ip_address port 22
flags S/SAFR keep state (max-src-conn 1, max-src-conn-rate 1/30,
overload <ssh_hacks> flush global)
you would have to have setup a table named <ssh_hacks> in your
configuration and assign values to both $ext_if and $some_ip_address or
replace them with whatever values work for you.
This rule would track connections allowing a maximum of 1 connection per
source IP address and would allow 1 connection to be initiated every 31
seconds or longer, otherwise it would add the offending IP address to
the <ssh_hacks> table and flush the global state table of all entries
from the same source IP.
You would have to have a rule in your configuration prior to this rule
that would block traffic from source IP addresses in the ssh_hacks
table. Depending on your policies this could be a block of all services
or just ssh. Personally I use a rule like
block drop log quick from <ssh_hacks>
but
block drop log in quick proto tcp from <ssh_hacks> to any port 22
would block ssh traffic from the offending IP to just ssh services on
your network.
Beware that you can lock yourself out of your servers very quickly with
this if you do not have another rule allowing yourself access to your
machines setup earlier in your configuration.
Cheers,
~e
More information about the freebsd-pf
mailing list