How about a distributed setup?
Has anyone thought of a way getting IPs from various servers (say linux
& fail2ban) to the central OpenBSD (pf) firewall?
Ideally with history in order to punish more the frequent abusers.
I had plans on looking to bgp to distribute the IPs around but maybe
there is already a better way doing this.
thanks and sorry for hijacking but I believe its quite relevant.
G
On 3/25/21 10:57 AM, Matthias Pressfreund wrote:
You could try this: https://github.com/mpfr/pftbld
It uses pf tables instead of anchors to achieve the same goal.
Handling sshd abusers may be accomplished by first using pf source-tracking
to catch them. For example:
-----
table <abusers_catch> persist
block in quick from <abusers_catch>
pass in on egress proto tcp to egress port ssh keep state ( \
max-src-conn 50, max-src-conn-rate 5/180 \
overload <abusers_catch> flush global \
)
------
After that, abusers may be fed to pftbld by a cron-controlled script.
For example:
------
#!/bin/ksh
table='abusers_catch'
pftblctl='/usr/local/sbin/pftblctl'
sock='/var/run/pftbld-abuse.sock'
pfctl -t ${table} -T show | while read -r ip; do
[[ $(${pftblctl} -s ${sock} "${ip}") = 'ACK' ]] \
&& pfctl -q -t ${table} -T delete ${ip}
done
------
Handling httpd abusers is more simple and straightforward, as shown in the
pftbld documentation.
On 2021-03-24 19:33, jeanpierre wrote:
Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
For the sake of completeness: blacklistd is a daemon that, using pf
anchors, blocks connections from abusive hosts to parctiular services
(e.g. sshd) until they start behaving themselves again.
I find it very useful for timming down log files.
Regards,
Jean-Pierre
