Hi Marios
On 25/06/12 15:58, Marios Makassikis wrote:
> On 25 June 2012 15:36, Matthias Cramer <cra...@freestone.net> wrote:
>> Hi
>>
>
> Hi,
>
>> From time to time I have some attacks to my SIP PBX. I like to block them
on
>> my OpenBSD
>> box which stands in front of it. The problem I'm facing is that the
attackers
>> IP has already
>> a state in the state table and the block rule I insert simply does
nothing.
>>
>> In the state table I see the following:
>>
>> all udp my_ip:5060 <- attacker_ip:5231 MULTIPLE:MULTIPLE
>> all udp attacker_ip:5231 -> my_ip:5060 MULTIPLE:MULTIPLE
>>
>> in /etc/pf.conf at the top I have the following
>>
>> table <badguys> {attacker_ip}
>>
>> block out quick to {<badguys>}
>> block in quick from {<badguys>}
>>
>> After clearing all states with pfctl -F states the connection is blocked.
>>
>> Is there a way to:
>> - clear a single state?
> This will remove all states associated with attacker_ip:
>
> pfctl -k attacker_ip
Superb.
> If you want to remove only a given state, you can do so by specifying a
state id
> rather than a IP address.
> You can find out about the state IDs with pfctl -vvss
>
>> - to block a packet even with a established state ?
>>
>
> How are you detecting attackers in your current setup ?
At the moment by hand ... I know that is not acceptable ...
> I would consider having PF rate-limit connections to your SIP PBX, and
> add any host
> that goes over the limit to your badguys table.
> An example is described here:
http://home.nuug.no/~peter/pf/en/bruteforce.html
I saw this. But the problem is, the attacker allways comes with the same
IP/Port Combo
so the is allways the same session for pf. So this method does not work!
Is there a way to so something simmilar by packets per second ?
Regards
Matthias
--
Matthias Cramer, Erachfeldstrasse 1b, CH-8180 Bülach
http://www.freestone.net
GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
