pf suggestions for paced attack

John john at starfire.mn.org
Mon May 3 16:39:36 UTC 2010 

On Mon, May 03, 2010 at 05:29:24PM +0100, Matthew Seaman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/05/2010 15:41:10, John wrote:
> > The script kiddies have apparently figured out that we use some
> > time-window sensitivity in our adaptive filtering.  From sshd, I've
> > been seeing "reverse mapping checking getaddrinfo ... failed" and
> > from ftpd (when I have the port open at all, which is rare), I am
> > seeing probes at about 27 second intervals.  This stays well below
> > the 3/30 (three connections in 30 seconds) sensitivity that I had
> > been using.  It took them nearly two and a half hours to make 154
> > attemps, but computers are very patient.
> > 
> > I have now changed the timing window sensivity, but it's to the
> > point now where there's a significant probability that someone could
> > lock themselves out (temporarily, at least, I do clear these tables
> > periodically) if they are having a bit of a fat-finger moment with
> > their password.
> > 
> > Anybody got any superior suggestions?
> 
> Heh.  If the attackers are forced to slow down the probe rate so
> drastically, then their chances of breaking in would be greatly reduced
> /even/ if you were using guessable passwords.  Which I shall assume you
> aren't: key based auth is what you need, or maybe OTP.  You certainly
> should not be relying on rate-adaptive blocking alone to secure your
> system -- it's more a way of preventing your log files from being
> flooded with crap -- and you've limited that quite effectively by
> forcing the attackers to slow down.  I'd not feel any necessity to
> modify the rate settings on your PF rule.
> 
> Anyhow, there is certainly a potential to lock yourself out using
> adaptive blacklisting.  If you know where your friends are going to be
> logging in from, then I'd set up a whitelist.  Something like this:
> 
> (replace with a list of the addresses / ranges you want to allow)
> 
> table <ssh-whitelist> const { \
>     192.0.2.0/24              \
> } persist
> table <ssh-bruteforce> persist
> 
> set skip on lo0
> 
> scrub in
> pass all
> 
> antispoof log quick for lo0
> block drop in log quick from <ssh-bruteforce>
> 
> pass in proto tcp from !<ssh-whitelist> to port ssh \
>      flags S/SA keep state                          \
>      (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)
> pass in proto tcp from <ssh-whitelist> to port ssh  \
>      flags S/SA keep state
> 
> 	Cheers,
> 
> 	Matthew
> 
> - -- 
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                   Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
>                                                   Kent, CT11 9PW

Hi, Matthew.  Indeed, yes, you may not recall, but my rules are
based on a set that I originally got from you, and I do, in fact,
have a white list, which I should have mentioned, but some of my
users are "road warriors" and could be coming from virtually anywhere.
You're right, though - it's time to look into alternatives to
password-based authenticaion.  I think I've taken password-based
protection and rate adaptive rules to their logical limit.

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkve+eQACgkQ8Mjk52CukIzpTwCgg/NpuZjR1mnfkcBX169LB5Ih
> ykYAnjQLprMKxMtKW2IfgWNEB5bTt33Q
> =12Jn
> -----END PGP SIGNATURE-----
-- 

John Lind
john at starfire.MN.ORG

More information about the freebsd-questions mailing list