Security blocking question
Matthew Seaman
m.seaman at infracaninophile.co.uk
Fri Oct 16 07:30:28 UTC 2009
Aflatoon Aflatooni wrote:
>>> Is there a way that I could configure the server so that if there are for
>> example X attempts from an IP address then for the next Y hours all the SSH
>> requests would be ignored from that IP address? There are only a handful of
>> people who have access to that server.
>>
>> Yes.
>>
>> In pf.conf:
>>
>> table persist
>>
>> [...]
>>
>> block drop in log quick on $ext_if from
>>
>> [...]
>>
>> pass in on $ext_if proto tcp \
>> from any to $ext_if port ssh \
>> flags S/SA keep state \
>> (max-src-conn-rate 3/30, overload flush global)
>>
>> plus you'll need to add a cron job to clear old entries out of the
>> ssh-bruteforce
>> table after a suitable amount of time has passed. Use expiretable to do
>> that. Note: in practice I've found that it's a *really good idea* to implement
>> a SSH whitelist of addresses that will never be bruteforce blocked like this --
>> it's very easy to lock yourself out even if everything you're doing is entirely
>> legitimate. Coding that is left as an exercise for the reader.
>>
>
> What is the best way of testing the PF rule? Is there a quick way to mimic a brute force?
> Is there a way that I could review the content of the table through pfctl -s all
To test, you need access to a machine not in your whitelist from where you
can try ssh'ing into the protected machine several times in rapid sequence.
3 times in 30s sounds quite fast, but it is actually not to hard to achieve
accidentally, especially if you use tools like rsync over SSH transport. You
should have a login concurrently from some other IP or on the console, otherwise
you will lock yourself out.
To see what IPs have been added to the ssh-bruteforce table and when and what
traffic has been blocked:
# pfctl -vv -t ssh-bruteforce -T show
To manually delete an IP from the ssh-bruteforce table:
# pfctl -t ssh-bruteforce -T delete 12.34.56.78
As noted elsewhere in this thread, instead of using expiretable, you can run this
out of cron to expire addresses over a day old from the ssh-bruteforce blocklist:
# pfctl -t ssh-bruteforce -T expire 86400
The pfctl(8) man page is pretty illuminating.
Cheers,
Matthew
PS. Got to love the way that HTML-ising e-mail has deleted the table name
from the examples above. I hope you could actually read it unmunged. Plain
text rools!
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20091016/9ba4e7a5/signature.pgp
More information about the freebsd-questions
mailing list