Security blocking question

Fri Oct 16 19:12:00 UTC 2009

> Aflatoon Aflatooni wrote:
> >>> Is there a way that I could configure the server so that if there are for 
> >> example X attempts from an IP address then for the next Y hours all the SSH 
> requests would be ignored from that IP address? There are only a handful of 
> people who have access to that server.
> >> 
> >> Yes.
> >> 
> >> In pf.conf:
> >> 
> >> table persist
> >> 
> >> [...]
> >> 
> >> block drop in log quick on $ext_if from 
> >> [...]
> >> 
> >> pass in on $ext_if proto tcp      \
> >>    from any to $ext_if port ssh \
> >>    flags S/SA keep state        \
> >>    (max-src-conn-rate 3/30, overload flush global)
> >> 
> >> plus you'll need to add a cron job to clear old entries out of the 
> ssh-bruteforce
> >> table after a suitable amount of time has passed.  Use expiretable to do
> >> that.  Note: in practice I've found that it's a *really good idea* to 
> implement a SSH whitelist of addresses that will never be bruteforce blocked 
> like this -- it's very easy to lock yourself out even if everything you're doing 
> is entirely legitimate.  Coding that is left as an exercise for the reader.
> >> 
> > 
> > What is the best way of testing the PF rule? Is there a quick way to mimic a 
> brute force? Is there a way that I could review the content of the table through 
> pfctl -s all
> 
> To test, you need access to a machine not in your whitelist from where you
> can try ssh'ing into the protected machine several times in rapid sequence.
> 3 times in 30s sounds quite fast, but it is actually not to hard to achieve
> accidentally, especially if you use tools like rsync over SSH transport.  You
> should have a login concurrently from some other IP or on the console, otherwise
> you will lock yourself out.
> 
> To see what IPs have been added to the ssh-bruteforce table and when and what
> traffic has been blocked:
> 
>   # pfctl -vv -t ssh-bruteforce -T show
> 
> To manually delete an IP from the ssh-bruteforce table:
> 
>   # pfctl -t ssh-bruteforce -T delete 12.34.56.78
> 
> As noted elsewhere in this thread, instead of using expiretable, you can run 
> this
> out of cron to expire addresses over a day old from the ssh-bruteforce 
> blocklist:
> 
>   # pfctl -t ssh-bruteforce -T expire 86400
> 
> The pfctl(8) man page is pretty illuminating.
> 
>     Cheers,
> 
>     Matthew
> 

Thanks,
I have the following in my pf.conf:

ext_if="bge0"
# Public Services --  smtp, http, pop3s
tcpPubServices = "{ 25, 80, 995 }"
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set limit { states 10000, frags 5000 }
#set loginterface none
set optimization normal
set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
set skip on lo0
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

pass out all
block in log all
table <sshBruteForce> { }
block in quick from <sshBruteForce> to any
pass in on $ext_if inet proto tcp from any to any port $tcpPubServices flags S/SA synproxy state
pass in on $ext_if inet proto tcp from any to any port ssh modulate state (source-track rule max-src-nodes 8 max-src-conn 8 max-src-conn-rate 3/60 overload <sshBruteForce> flush global)

And I have tried to make a lot of ssh connections to the box and killing them with ctrl-c or bad-password but nothing gets added to the table. There isn't anything in the log either. How would I go about figuring out what is wrong?

Thanks