DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th June 2011
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default Brute force attacks

I have a question regarding brute force attacks on PC's behind my OpenBSD firewall but after thinking about I think I've answered my own question. But I'll ask just to verify.

My question was this:
Can brute force VNC attacks be handled like SSH? I have an OpenBSD firewall with port forwarding to two Windows boxes. I'm the only one who should ever be connecting to these systems from where ever in the world I happen to be so what I would like to do is give myself two attempts to connect, just in case caps lock is on or a typo on the first attempt. If the second attempt fails then it should completely ignore/block any more attempts for the next five minutes or however long I wish for it wait then allow me to try again after that amount of time has elapsed. Is this possible?

Answer to my own question:
No this isn't possible because the OpenBSD firewall is simply forwarding the connection to the appropriate PC behind the firewall and it is therefore the responsibility of the Windows PC accepting the connection to enforce such a rule set.

Did I ask and answer my own question correctly? Below is a copy of my pf.conf file in case it has any relevance.

#######################
# pf.conf
# macros
int_if="xl0"
ext_if="xl1"
whs="192.168.0.50"
pc1="192.168.0.20"
pc2="192.168.0.21"

# options
set block-policy drop
set loginterface $ext_if
set skip on lo

# match rules
match in all scrub (no-df)
match out on egress inet from !(egress) to any nat-to (egress:0)

# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state
pass in on egress inet proto tcp to (egress) port 5900 rdr-to $pc1 synproxy state
pass in on egress inet proto tcp to (egress) port 5901 rdr-to $pc2 synproxy state
pass in log on $int_if
#######################
Reply With Quote
  #2   (View Single Post)  
Old 18th July 2011
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

I recommend you don't forward VNC traffic at all. VNC traffic is not secure by default and all info including passwords is sent in clear text.

Instead I recommend setting up either OpenVPN or SSH w/ port forwarding enabled. SSH is by far the easier of the two to implement.

The idea is to tunnel your VNC Viewer through your SSH tunnel. Thus protecting it.

I won't bother posting links as Google will show you many examples.

This (SSH) would allow:

1. A secure connection from anywhere via SSH
2. Though SSH there are many features to control how users are able to connect

Some examples being:
Code:
LoginGraceTime
MaxAuthTries
MaxStartups
Port XXXX <-- this will help avoid scripted scans

3. Less rules in your PF.conf

Read here for more on SSH:
http://www.openbsd.org/cgi-bin/man.c...ry=sshd_config

Cheers!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh brute force attacks sniper007 FreeBSD Security 21 12th June 2011 01:28 AM
pf.conf and some questions about brute attacks Daffy OpenBSD Security 10 27th March 2011 08:38 AM
Air Force may suffer collateral damage from PS3 firmware update J65nko News 1 13th May 2010 12:00 PM
attacks DDoS Sam OpenBSD Security 6 18th December 2009 12:07 AM
pf.conf brute force rule ijk FreeBSD Security 6 11th August 2008 04:54 PM


All times are GMT. The time now is 04:03 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick