Nico De Dobbeleer wrote:
Hello,
As most of the public ip's my servers are constantly under bruteforce attack see example:
Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2
Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226
Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2
...
Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that.
------------------------------------------------------------------------------------------------------------------
#Tables
table <abusive_ips> persist file "/etc/pf.abusive_ips.block.list"
table <brute> persist
# Rules
block quick from <abusive_ips>
block quick from <brute>
# Limit connections per IP
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush)
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
(max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)
--------------------------------------------------------------------------------------------------------------------
The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the <brute> table.
Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15?
- which FreeBSD version is this 6.x 7.x/8.x?
- avoid the quick keyword in the rules with overload
- pf can preload IP's from file specified in
"table <tablename> ... file "/filename" but does not write IP's into
the file. I use the script below to do this on a OpenBSD machine.
- rewrite your rule and avoid the any keyword
pass in on { $ext_if, $int_if, $mng_if } inet proto tcp \
from !<brute> to xx.xx.xx.xx port ssh flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush)
hint:
- look for the additional keyword global (flush global)
- If the IP in your rule is your base IP on $ext_if write it with as
$ext_if:0
this script writes IP's from the bf_* tables into a file so you can
preload them next time pf rules are installed or the machine reboots.
additional it can send you a mail with IP's added to the table and if
GeoIP is installed you get the GeoIP info.
With a little modification of the script/rules It will work for you
#!/bin/sh
##################################################################
# $Source: RCS/pftable_to_file.sh,v $
# OS: OpenBSD
#
# olli hauer
#
##################################################################
# sample rule for pf
# ---------------------------
# block in log quick proto { tcp, udp } from <bf_ssh> \
# to any port ssh label BRUTFORCE-SSH # table for overload connections
#
# pass in log on $if_ext inet proto tcp from ! <bf_ssh> to $if_ext \
# port = ssh flags S/SA keep state \
# (source-track rule, max-src-conn 10, \
# max-src-conn-rate 3/90, overload <bf_ssh> \
# flush global, if-bound, src.track 90) \
# label "SSH"
umask 077
PF_TABLES="bf_mail bf_ssh bf_web"
OUTDIR="/etc/pf"
GEOIP=/usr/local/bin/geoiplookup
# hold the output from pfctl -tx -Ts
TMP_PFCTL=`mktemp /tmp/.tmp_pf_table.XXXXXXXXXX` || exit 1
# hold the diff between old and new
TMP_DIFF=`mktemp /tmp/.tmp_diff.XXXXXXXXXX` || exit 1
trap 'rm -f ${TMP_PFCTL} ${TMP_DIFF}' 0 1 2 3 13 15
[ -d ${OUTDIR} ] || mkdir -p ${OUTDIR}
for TABLE in ${PF_TABLES}; do
# make sure the output file exists
[ -f ${OUTDIR}/${TABLE} ] || /usr/bin/touch ${OUTDIR}/${TABLE}
# extraxt IP's from table
/sbin/pfctl -t${TABLE} -Ts | awk '{print $1}' > ${TMP_PFCTL}
# we need only the '+diff' to grep for this later
/usr/bin/diff -bu ${OUTDIR}/${TABLE} ${TMP_PFCTL} > ${TMP_DIFF}
RETVAL=$?
case ${RETVAL} in
0) continue ;;
1)
# save the old file
if [ -f ${OUTDIR}/${TABLE} ]; then
cp ${OUTDIR}/${TABLE} ${OUTDIR}/${TABLE}.old
fi
# mail message header
date
echo "change in table: ${TABLE}"
echo "------------------------------------"
# lookup the IP in the GeoIP database
if [ -x ${GEOIP} ]; then
for IP in `egrep "^\+[0-9]" ${TMP_DIFF} | tr -d \+`; do
# print the IP wo. linefeed
printf "%-20s # " ${IP}
# strip netmask if we add NET by hand
IPT=`echo ${IP} | sed 's/\/[[:digit:]]*//g'`
# make a short GeoIP output
${GEOIP} ${IPT} | sed 's/ Country Edition//g'
done
else
egrep "^\+[0-9]" ${TMP_DIFF} | tr -d \+
fi
mv ${TMP_PFCTL} ${OUTDIR}/${TABLE}
;;
*) echo "error in diff" ;;
esac
done
small snippet from my bf_ssh file (places with IP rangees I don't visit
in near time)
snippet from file:/etc/pf/bf_ssh
12.0.0.0/8
21.0.0.0/8
24.0.0.0/8
25.0.0.0/8
26.0.0.0/8
28.0.0.0/8
29.0.0.0/8
30.0.0.0/8
32.0.0.0/8
33.0.0.0/8
38.0.0.0/8
58.0.0.0/8
59.0.0.0/8
60.0.0.0/8
61.0.0.0/8
62.0.0.0/8
63.0.0.0/8
64.0.0.0/8
...
216.0.0.0/8
217.0.0.0/8
218.0.0.0/8
219.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
