PF to Preventing SMTP Brute Force Attacks

Matthew Seaman m.seaman at infracaninophile.co.uk
Fri Jun 15 17:11:44 UTC 2012 

On 15/06/2012 17:55, Shiv. Nath wrote:
> 
>> Limiting yourself to 200 states won't protect you very much -- you tend
>> to get a whole series of attacks from the same IP, and that just uses
>> one state at a time.
>>
>> Instead, look at the frequency with which an attacker tries to connect
>> to you.  Something like this:
>>
>> table <bruteforce> persist
>>
>> [...]
>>
>> block in log quick from <bruteforce>
>>
>> [...]
>>
>> pass in on $ext_if proto tcp                     \
>>      from any to $ext_if port $trusted_tcp_ports \
>>      flags S/SA keep state                       \
>>      (max-src-conn-rate 3/300, overload <bruteforce> flush global)
>>
>> Plus you'll need a cron job like this to clean up the bruteforce table,
>> otherwise it will just grow larger and larger:
>>
>> */12 * * * *	/sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null
>> 2>&1
>>
>> The end result of this is that if one IP tries to connect to you more
>> than 3 times in 5 minutes, they will get blacklisted.  I normally use
>> this just for ssh, so you might want to adjust the parameters
>> appropriately.  You should also implement a whitelist for IP ranges you
>> control or use frequently and that will never be used for bruteforce
>> attacks: it is quite easy to block yourself out with these sort of rules.
>>
>> 	Cheers,
>>
>> 	Matthew
>>
>> --
>> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>>                                                   Flat 3
>> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
>> JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW
> 
> 
> Dear Mattthew,
> 
> Grateful for sending me in right direction, solution really sounds well.
> Does it look good configuration for "/etc/pf.conf" ?
> 
> # START
> table bruteforce persist

Watch the syntax -- it's table <bruteforce> persist with angle brackets.

> block in log quick from bruteforce
> 
> pass in on $ext_if proto tcp \
> from any to $ext_if port $trusted_tcp_ports \
> flags S/SA keep state \
> (max-src-conn-rate 3/300, overload bruteforce flush global)

Again -- you need angle brackets around the table name.

> 
> # END
> 
> AND CRON:
> */12 * * * *	/sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null
> 2>&1
> 
> What is the function "expire 604800" are they entries in the table?
> should it be -t bruteforce or -t ssh-bruteforce

Ooops.  Yes, -t bruteforce is correct.  "expire 604800" means delete
entries after they've been in the table for that number of seconds (ie
after one week)

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20120615/ab5992e4/signature.pgp

More information about the freebsd-stable mailing list