DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th March 2011
Daffy Daffy is offline
Fdisk Soldier
 
Join Date: Jun 2010
Posts: 73
Thanked 0 Times in 0 Posts
Default pf.conf and some questions about brute attacks

As I'm discovering my way through pf while reading the book "The book of PF", I have some questions and need a little help. First of all, I want to be able to configure pf to stop the brute force attacks. So, let's go to pf.conf as the book gives in the example.

First I have to create a table with
Code:
table <bruteforce> persist file "etc/bruteforce"
This is gonna create a table (<bruteforce>) and create the logs in the file /etc/bruteforce as I can understand.

After that, we're creating the rule
Code:
block quick from <bruteforce>
This is checking if the ip is logged in the <bruteforce> table and denies the chance to try to login, correct?

What I don't understand, is the following:
Code:
pass inet proto tcp to $localnet port $tcp_services \
            keep state (max-src-conn 100, max-src-conn-rate 15/5, \
                      overload <bruteforce> flush global)
- why use 'inet' parameter and not 'in'?

- in the case I want to transfer files from outside the local network (for example I'll say 150 small text files.not a chance, but for the sake of the question), I must configure the max-conn-rate, or every file counts as a new connection (and therefore I have to modify the max-src-conn?)
Reply With Quote
  #2   (View Single Post)  
Old 20th March 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

The inet/inet6 parameter is used to distinguish between IPv4 and IPv6, it is not in place of in/out.
  • If in/out are not specified, the rule matches both inbound and outbound packets.
  • If inet/inet6 are not specified, the rule matches both packet families.

Just a reminder, if you're using the latest version of OpenBSD/pf, you'll need the second edition of The Book of PF.
Reply With Quote
  #3   (View Single Post)  
Old 20th March 2011
Daffy Daffy is offline
Fdisk Soldier
 
Join Date: Jun 2010
Posts: 73
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
The inet/inet6 parameter is used to distinguish between IPv4 and IPv6, it is not in place of in/out.
  • If in/out are not specified, the rule matches both inbound and outbound packets.
  • If inet/inet6 are not specified, the rule matches both packet families.
Thank you! So inet for me (IPv4 yet).

Quote:
Originally Posted by BSDfan666 View Post
Just a reminder, if you're using the latest version of OpenBSD/pf, you'll need the second edition of The Book of PF.
Thanks. I was very careful about this. The book is indeed the second version. (using OpenBSD 4.8)


Do you ( or anyone else) find those rules ok? I know I may seem a little hasty but seeing all those log entries somehow scares me.
Reply With Quote
  #4   (View Single Post)  
Old 20th March 2011
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

If you want someone to review your ruleset, you should post the entire file in [code][/code] blocks, as an attachment, or hosted on personal webspace.

Be advised that it may take time for someone to respond, but there are a few PF experts on the forums who seem to enjoy tackling overly complicated rulesets.
Reply With Quote
  #5   (View Single Post)  
Old 24th March 2011
Daffy Daffy is offline
Fdisk Soldier
 
Join Date: Jun 2010
Posts: 73
Thanked 0 Times in 0 Posts
Default

So it's time for me to post my first pf.conf and hope it's not a complete fail :

Code:
# macros defined
int_if="ale0"
localnet = $int_if:network
tcp_services = "{ ssh, 62222, www }"
udp_services = "{ ssh, 62222, www }"

# tables
table <bruteforce> persist file "/etc/bruteforce"

# block rules
block all
block quick from <bruteforce>

# pass rules
pass inet proto tcp to $localnet port $tcp_services \
	keep state (max-src-conn 100, max-src-conn-rate 20/5, \
		overload <bruteforce> flush global)
And the questions:
- is this going to work? I expect to be able to do simple browsing, be able to ssh to this machine (main desktop) and keep port 62222 open (for transmission). So as far as I can tell, in the macros ssh is port 22, www is port 80 and 62222 is... well, 62222.

- the macro "localnet = $int_if:network", is used to filter my traffic and the traffic from other pcs connected to my desktop?

Those are the questions that come to my mind for now. Back to reading and I'll be coming with more.


Thank you.
Reply With Quote
  #6   (View Single Post)  
Old 25th March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

  • Add a log statement to the block rule: block log all
  • Set the loginterface to your NIC.
  • Reload your ruleset
  • Run tcpdump on the pflog0 device.
    Code:
    # tcpdump -en -s 160 - i pflog0
  • Start a web browser and watch the tcpdump window/xterm to see what you are missing.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 25th March 2011
Daffy Daffy is offline
Fdisk Soldier
 
Join Date: Jun 2010
Posts: 73
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
[*]Start a web browser and watch the tcpdump window/xterm to see what you are missing. [/list]
lol. I think I may have forgotten the "pass out all" rule. That's why I didn't have any connection at all.

Here is my complete pf.conf again. Thank you very much for your help.
Can you find more mistakes? For now, it seems to work fine with browsing but the port 62222 for transmission seems closed. Why is this happening?

Code:
# macros defined
int_if="ale0"
localnet = $int_if:network
tcp_services = "{ ssh, 62222, www }"
udp_services = "{ ssh, 62222, www }"

# tables
table <bruteforce> persist file "/etc/bruteforce"

# options
set loginterface $int_if

# block rules
block log all
block quick from <bruteforce>

# pass rules
pass inet proto tcp to $localnet port $tcp_services \
	keep state (max-src-conn 100, max-src-conn-rate 20/5, \
		overload <bruteforce> flush global)
pass out all
I couldn't find any info on "set loginterface" though. Even in the book, it doesn't explain why and how we use this option. Can you point me to some direction or explain me why and how we use this rule?

[edit]: also, before pass out all, do I need to add the rule
Code:
pass inet proto udp to $localnet port $udp_services
or is this unnecessary because of the "pass out all" rule (last rule-->strongest rule)?


p.s. I was never been so excited with an os again...

Last edited by Daffy; 25th March 2011 at 09:51 AM. Reason: add
Reply With Quote
  #8   (View Single Post)  
Old 25th March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

The book is a gentle introduction to pf. The details about set loginterface and why it is useful, can be found in the pf.conf(5) manual page.

If you follow my advice, you will see the blocked packets, the protocol (tcp or udp) and the port number in the tcpdump on pflog0 xterm.
If you don't want pf to block this type of packets, then you have all the information to create an additional rule that will allow this kind of traffic.

Instead of giving hungry Daffy a fish, I am just trying to teach how to fish by yourself
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 25th March 2011
Daffy Daffy is offline
Fdisk Soldier
 
Join Date: Jun 2010
Posts: 73
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
The book is a gentle introduction to pf. The details about set loginterface and why it is useful, can be found in the pf.conf(5) manual page.
Found it, understood it. There's so much information and really with so much reading, a starter may be confused. I hope in some time (and with more reading) I'll be able to understand most of these rules. Practice, practice, practice...

After all, I'm already able to do everything I did with other operating systems with OpenBSD and I'm happy. It completely took over my Desktop.

Quote:
Originally Posted by J65nko View Post
If you follow my advice, you will see the blocked packets, the protocol (tcp or udp) and the port number in the tcpdump on pflog0 xterm.
If you don't want pf to block this type of packets, then you have all the information to create an additional rule that will allow this kind of traffic.
I see them all now. I can't thank you and all the other members enough for all the information you're providing.

Quote:
Originally Posted by J65nko View Post
Instead of giving hungry Daffy a fish, I am just trying to teach how to fish by yourself
The part with the "fish" was the best.
Reply With Quote
Old 26th March 2011
Daffy Daffy is offline
Fdisk Soldier
 
Join Date: Jun 2010
Posts: 73
Thanked 0 Times in 0 Posts
Default

Everything seems to work perfect now. I modified even more my pf.conf file, mainly the "max-src-conn" and "max-src-conn-rate" numbers to get the desired results but I ran into another question.

I blocked an attacker with the ip 77.xx.xx.x and I saw the ip at the bruteforce table with
Code:
>sudo pfctl -t bruteforce -T show
 77.xx.xx.x
When I changed the max-src-conn-rate and reloaded my pf.conf with
Code:
>sudo pfctl -f /etc/pf.conf
I decided to check the bruteforce table again and it was empty. Does the table reset every time I reload my pf.conf file or if I restart my pc? Why is this happening? I mean the table is persisted (therefore it can be updated) but at the same time I have created a file which contains the table logs with
Code:
table <bruteforce> persist file "/etc/bruteforce"
[edit]:
for anyone else having trouble figuring this out (if my way is wrong, please correct me)

I found the way to save entries with
Code:
sudo pfctl -t bruteforce -T show >/etc/bruteforce
but I was getting the error
Code:
ksh: cannot create /etc/bruteforce: Permission denied
So with
Code:
sudo chmod g+w bruteforce
I change permissions and now entries are saved!


I hope not so bad for a complete newbie.

Last edited by Daffy; 26th March 2011 at 11:29 PM.
Reply With Quote
Old 27th March 2011
Loki Loki is offline
Port Guard
 
Join Date: Nov 2008
Location: Sydney
Posts: 11
Thanked 0 Times in 0 Posts
Default Don't do that

Code:
table <bruteforce> persist file "/etc/bruteforce"

No. Make it /var/db/bruteforce or use /var/pf/ after you make the /var/pf dir.
Reply With Quote
Reply

Tags
bruteforce, pf, pf.conf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh brute force attacks sniper007 FreeBSD Security 21 12th June 2011 01:28 AM
attacks DDoS Sam OpenBSD Security 6 18th December 2009 12:07 AM
some login.conf questions gosha OpenBSD General 2 5th July 2009 12:43 PM
pf.conf brute force rule ijk FreeBSD Security 6 11th August 2008 04:54 PM
rc.conf questions starbuck FreeBSD General 2 29th July 2008 06:16 PM


All times are GMT. The time now is 08:55 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick