DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th April 2010
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 282
Thanked 5 Times in 5 Posts
Default PF and Stateful Tracking Options

I want use PF for firewall for webserver , our webserver is Apache
I read this link
http://www.openbsd.org/faq/pf/filter.html

but I can not understand this section
Code:
An example:

    table <abusive_hosts> persist
    block in quick from <abusive_hosts>

    pass in on $ext_if proto tcp to $web_server \
        port www flags S/SA keep state \
        (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush) 

This does the following:

    * Limits the maximum number of connections per source to 100
    * Rate limits the number of connections to 15 in a 5 second span
    * Puts the IP address of any host that breaks these limits into the <abusive_hosts> table
    * For any offending IP addresses, flush any states created by this rule.
So I understand this
For example if some user with this IP
192.168.0.52
connect to my web server , he or she can only open 15 pages in 5 second ,if he or she open new pages , pf block him.

and I understand this
user with 192.168.0.53 can not open than 15 pages or can not connect more than 15 connection in 5 second .

Am I right ?
Do I understand good this?,
with this rule I each IP can have 15 connection in 5 second .
please someone explain this section better for me
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #2   (View Single Post)  
Old 14th April 2010
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by mfaridi View Post
...I understand this
user with 192.168.0.53 can not open than 15 pages or can not connect more than 15 connection in 5 second .

Am I right ?
Do I understand good this?,
Yes, you are right, but .... only because each web page request from a browser uses a separate HTTP session.

(PF does not know anything about applications. All it knows is TCP/IP. Other application abuse may or may not be manageable with PF.)

In this example you reference, abusers get their IP address added to the "abusive_hosts" table, they get blocked, and their existing sessions get killed.

The "abusive_hosts" table is in kernel memory, and not stored in a file, so a restart of the OS will start with an empty table. To make it permanent, you can add pfctl commands to /etc/rc.shutdown to store the table in a file, and use the "file" option of the table command in pf.conf, to load the table from the file at start up. These are described in pfctl(8) and pf.conf(5).
Reply With Quote
  #3   (View Single Post)  
Old 14th April 2010
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 282
Thanked 5 Times in 5 Posts
Default

So for better performance
how I change this
Code:
max-src-conn-rate 15/5
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #4   (View Single Post)  
Old 14th April 2010
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

There is no "better performance" -- there is only "stopping abuse". And only you can define what abuse means to you.
Reply With Quote
  #5   (View Single Post)  
Old 14th April 2010
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Default

this is more useful to restrict ssh access...
For a webserver, it is quite annoying.
Reply With Quote
  #6   (View Single Post)  
Old 14th April 2010
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,894
Thanked 214 Times in 189 Posts
Default

One -can- restrict the total number of simultaneous states allowed, to keep access manageable in the event a website gets "slashdotted" -- overwhelmed because of sudden increased transaction rates.

In the example mfaridi quoted, max-src-conn 100 limits the number of simultaneous transactions to 100. Users beyond that number do not get a connection, which -might- or -might not- be a problem, depending on the application. But it does allow the 100 sessions that are connected to function without overwhelming resources.

That "100" is of course not meaningful without understanding the webserver's capacity, and the capacity of adjunct application and database servers that might be involved.
Reply With Quote
  #7   (View Single Post)  
Old 14th April 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,088
Thanked 198 Times in 156 Posts
Default

Quote:
this is more useful to restrict ssh access...
For a webserver, it is quite annoying.
Some webservers such as the Hiawatha webserver actually have these options builtin, (ConnectionsTotal, ConnectionsPerIP, BanOnFlooding, BanOnMaxPerIP options).

In the pf.conf for this forums I have:
Quote:
source-track max-src-conn 50 max-src-conn-rate 200/10
For a time I monitored the overload table I used to see how often this limit was reached: Almost never, and when it was reached it was almost always by a bot, either a legitimate bot (i.e. google) or a bot of unclear origin and doubtful legitimacy.
I solved the problem by making a table with known bot addresses (Taken from iplists.com) which are exempted from this rule.

Why use max-src-conn and max-src-conn-rate? It prevent (D)DoS attacks.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #8   (View Single Post)  
Old 15th April 2010
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 282
Thanked 5 Times in 5 Posts
Default

Can we find another solution to control access web server , we use this rule but in some place like school with ADSL internet sharing , our PF block them , for example we have 200 computer in one school and all of them one ADSL internet connection .
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
  #9   (View Single Post)  
Old 15th April 2010
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 282
Thanked 5 Times in 5 Posts
Default

Quote:
Originally Posted by Carpetsmoker View Post
Some webservers such as the Hiawatha webserver actually have these options builtin, (ConnectionsTotal, ConnectionsPerIP, BanOnFlooding, BanOnMaxPerIP options).

In the pf.conf for this forums I have:


For a time I monitored the overload table I used to see how often this limit was reached: Almost never, and when it was reached it was almost always by a bot, either a legitimate bot (i.e. google) or a bot of unclear origin and doubtful legitimacy.
I solved the problem by making a table with known bot addresses (Taken from iplists.com) which are exempted from this rule.

Why use max-src-conn and max-src-conn-rate? It prevent (D)DoS attacks.
if I understand good you advise me I make new table about bot , and I say to pf do not block this IP (bot IP)
Am I right ?
if I understand good , I have abuse table too , in abuse rule I define PF block max connection , I think this rule will block BOT IP too.
So I say PF dose not use abuse rule for BOT IP and use abuse rule for other function ?
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
Old 15th April 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,088
Thanked 198 Times in 156 Posts
Default

Yes, you understand it correctly. This only matters if you actually care about your site showing up in google.

Here are a few examples from my pf.conf

Code:
table <badguys> persist
table <goodbots> persist file "/root/goodbots"

pass in on $if proto tcp from any to $ip2 port http keep state \
  (source-track max-src-conn 50 max-src-conn-rate 200/10 overload <badguys>)

pass in quick on $if proto tcp from <goodbots> to {$ip1, $ip2} port http
block drop in on $if from <badguys>
It is important to use -T expire if you don't want to ban people forever when they make too many requests, so in your /etc/crontab add something along the lines of:
Code:
# Don't ban people for more than n seconds
*       *       *       *       *       root    /sbin/pfctl -t badguys -T expire 5 > /dev/null 2>&1
This wil ban people for 5 to 10 seconds. (Since atrun is only executed every 5 seconds by default).

I make the file /root/goodbots with a simple shell script. Adjust the lists to your needs:

Code:
#!/bin/sh
#

lists="
http://iplists.com/google.txt
http://iplists.com/inktomi.txt
http://iplists.com/lycos.txt
http://iplists.com/infoseek.txt
http://iplists.com/altavista.txt
http://iplists.com/excite.txt
http://iplists.com/northernlight.txt
http://iplists.com/misc.txt
http://iplists.com/non_engines.txt
"

echo -n "" > goodbots

for list in ${lists}; do
        fetch -o /tmp/list ${list}
        grep -Ev '?(^#|^$)' /tmp/list >> /root/goodbots
done

rm /tmp/list
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
resetting make options? carpman FreeBSD Ports and Packages 1 27th March 2010 12:54 PM
Tracking OpenBSD snapshots with some simple sh scripts J65nko Guides 3 2nd December 2009 04:55 AM
How to get port's building options? Sunsawe FreeBSD Ports and Packages 14 9th May 2009 06:35 PM
portupgrade -af, how to submit fetch options? bsdfan FreeBSD Ports and Packages 4 28th December 2008 09:05 PM
Change Makefile options in ports shep FreeBSD Ports and Packages 5 18th August 2008 07:58 AM


All times are GMT. The time now is 07:49 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick