Re: PF to Preventing SMTP Brute Force Attacks

Fri, 15 Jun 2012 09:37:21 -0700 

On 15/06/2012 17:17, Shiv. Nath wrote:
> Hi FreeBSD Gurus,
> 
> 
> i want to use PF to Preventing SMTP Brute Force Attacks. i need some help
> to understand correct syntax.
> 
> URL Explaining this: http://www.openbsd.org/faq/pf/filter.html#stateopts
> 
> 
> i expect the following behavior from the PF rule below:
> 
> Limit the absolute maximum number of states that this rule can create to 200
> 
> Enable source tracking; limit state creation based on states created by
> this rule only
> 
> Limit the maximum number of nodes that can simultaneously create state to 100
> 
> Limit the maximum number of simultaneous states per source IP to 3
> 
> Solution:
> int0="em0"
> trusted_tcp_ports="{22,25,443,465}"
> 
> pass in on $int0 proto tcp from any to any port $trusted_tcp_ports keep
> state max 200, source-track rule, max-src-nodes 100, max-src-states 3

Limiting yourself to 200 states won't protect you very much -- you tend
to get a whole series of attacks from the same IP, and that just uses
one state at a time.

Instead, look at the frequency with which an attacker tries to connect
to you.  Something like this:

table <bruteforce> persist

[...]

block in log quick from <bruteforce>

[...]

pass in on $ext_if proto tcp                     \
     from any to $ext_if port $trusted_tcp_ports \
     flags S/SA keep state                       \
     (max-src-conn-rate 3/300, overload <bruteforce> flush global)

Plus you'll need a cron job like this to clean up the bruteforce table,
otherwise it will just grow larger and larger:

*/12 * * * *    /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null 2>&1

The end result of this is that if one IP tries to connect to you more
than 3 times in 5 minutes, they will get blacklisted.  I normally use
this just for ssh, so you might want to adjust the parameters
appropriately.  You should also implement a whitelist for IP ranges you
control or use frequently and that will never be used for bruteforce
attacks: it is quite easy to block yourself out with these sort of rules.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matt...@infracaninophile.co.uk               Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to