On 05/05/18 01:56, Kapfhammer, Stefan wrote:
>
> You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz
> for successful and unsuccessful logins and then add the unsuccessful logins
> with pfctl to a blocked table. To have it permanent after a reboot you can
> write
> with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset.
>
> Like
> table <bruteforce> persist file "/etc/pf.bruteforce"
> block in quick proto tcp from <bruteforce> to any
The problem here is what logon attempt frequency and which number of
simultaneous connections you set as acceptable.
You *will* at some point end up blocking yourself based on those
criteria, even more certainly so if you're chasing the relatively slow
attackers, and if you allow password logins at all, valid users will
occasionally mistype their passwords.
For those reasons, I ended up with a regime that block drops according
to something like
# ---
table <bruteforce> persist counters file "/var/tmp/bruteforce"
block drop log (all) quick from <bruteforce> label bruteforce
pass in quick log (all) on egress proto tcp to port ssh flags S/SA keep
state \
(max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce>
flush global, pflow)
and just because I can, 28 day expiry, and a cron job that dumps table
contents to file at reasonable intervals.
The bruteforce table is never empty, and the bulk of the miscreants will
will be caught this way. After trying various fully automatic variants
that all bit back in various ways, I ended up determining that scanning
the logs manually when I have time (typically once or twice per day) was
sufficient to catch the rest. Then I add to the bruteforce table and
harvest local parts for the spamtraps.
Some of my scribbles on this can be found at
https://bsdly.blogspot.no/2017/04/forcing-password-gropers-through.html
and
http://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-lessons-learned.html
(with references)
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
