PF to Preventing SMTP Brute Force Attacks
Matthew Seaman
m.seaman at infracaninophile.co.uk
Fri Jun 15 17:11:44 UTC 2012
On 15/06/2012 17:55, Shiv. Nath wrote:
>
>> Limiting yourself to 200 states won't protect you very much -- you tend
>> to get a whole series of attacks from the same IP, and that just uses
>> one state at a time.
>>
>> Instead, look at the frequency with which an attacker tries to connect
>> to you. Something like this:
>>
>> table <bruteforce> persist
>>
>> [...]
>>
>> block in log quick from <bruteforce>
>>
>> [...]
>>
>> pass in on $ext_if proto tcp \
>> from any to $ext_if port $trusted_tcp_ports \
>> flags S/SA keep state \
>> (max-src-conn-rate 3/300, overload <bruteforce> flush global)
>>
>> Plus you'll need a cron job like this to clean up the bruteforce table,
>> otherwise it will just grow larger and larger:
>>
>> */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null
>> 2>&1
>>
>> The end result of this is that if one IP tries to connect to you more
>> than 3 times in 5 minutes, they will get blacklisted. I normally use
>> this just for ssh, so you might want to adjust the parameters
>> appropriately. You should also implement a whitelist for IP ranges you
>> control or use frequently and that will never be used for bruteforce
>> attacks: it is quite easy to block yourself out with these sort of rules.
>>
>> Cheers,
>>
>> Matthew
>>
>> --
>> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
>> Flat 3
>> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
>> JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
>
>
> Dear Mattthew,
>
> Grateful for sending me in right direction, solution really sounds well.
> Does it look good configuration for "/etc/pf.conf" ?
>
> # START
> table bruteforce persist
Watch the syntax -- it's table <bruteforce> persist with angle brackets.
> block in log quick from bruteforce
>
> pass in on $ext_if proto tcp \
> from any to $ext_if port $trusted_tcp_ports \
> flags S/SA keep state \
> (max-src-conn-rate 3/300, overload bruteforce flush global)
Again -- you need angle brackets around the table name.
>
> # END
>
> AND CRON:
> */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null
> 2>&1
>
> What is the function "expire 604800" are they entries in the table?
> should it be -t bruteforce or -t ssh-bruteforce
Ooops. Yes, -t bruteforce is correct. "expire 604800" means delete
entries after they've been in the table for that number of seconds (ie
after one week)
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20120615/ab5992e4/signature.pgp
More information about the freebsd-stable
mailing list