DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th October 2011
Daffy Daffy is offline
Fdisk Soldier
 
Join Date: Jun 2010
Posts: 73
Thanked 0 Times in 0 Posts
Default attacks are not being added to the pf table

Hi. I ran into a small trouble. I changed the default ssh listening port from 22 to a 1337, added the port in pf.conf but when I tried to login with false credentials from another computer (outside the network) the ip is not being added to the table.

I changed the default port in sshd_config with
Code:
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 1337
My pf.conf is the following:
Code:
# macros
int_if="ale0"
localnet = $int_if:network
tcp_services = "{ 62222, www, 1337 }"
udp_services = "{ 62222, www, 1337 }"

# tables
table <bruteforce> persist file "/var/pf/bruteforce"

# options
set loginterface $int_if

# disable filtering on loopback interface
set skip on lo0

# block rules
block log all
block quick from <bruteforce>

# pass rules
pass inet proto tcp to $localnet port $tcp_services \
	keep state (max-src-conn 50, max-src-conn-rate 3/60, \
		overload <bruteforce> flush global)
pass out all
When I have 6 attempts with false password, with 'pfctl -t bruteforce -T show', i get an empty table.

I suspect that something is wrong with the way I changed the port...
Reply With Quote
  #2   (View Single Post)  
Old 5th October 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,815
Thanked 214 Times in 189 Posts
Default

I don't see anything obviously wrong. Your test might be in error.

If you add the "log" keyword to your pass rule, # tcpdump -neti pflog0 will give you timestamps for each state creation.
Reply With Quote
  #3   (View Single Post)  
Old 21st October 2011
Daffy Daffy is offline
Fdisk Soldier
 
Join Date: Jun 2010
Posts: 73
Thanked 0 Times in 0 Posts
Default

And back for more info. Due to work and being sick, I could not find the courage to post more info...

The strange thing is that if I remove the 1337 port from the udp_services, the table works... I tried a somehow different approach by changing the rules specifically for ssh port

Code:
# macros defined
int_if="ale0"
localnet = $int_if:network
tcp_services = "{ 62222, www, 1337 }"
udp_services = "{ 62222, www }"

# tables
table <bruteforce> persist

# options
set loginterface $int_if

# disable filtering on loopback interface
set skip on lo0

# block rules
block log all
block quick from <bruteforce>

# pass rules for ssh
pass quick proto { tcp,udp } to port 1337 \
        keep state (max-src-conn 10, max-src-conn-rate 2/60, \
                overload <bruteforce> flush global)

pass inet proto tcp to $localnet port $tcp_services \
        keep state (max-src-conn 50, max-src-conn-rate 3/60, \
                overload <bruteforce> flush global)
pass out all
Why is 'overload table' works only when I remove the ssh port from udp_services?..
Reply With Quote
  #4   (View Single Post)  
Old 21st October 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,815
Thanked 214 Times in 189 Posts
Default

Quote:
Why is 'overload table' works only when I remove the ssh port from udp_services?..
Your filter rule has two protocols in a list. This is expanded into separate rules by PF, which you can see with # pfctl -sr if you are interested.

I am guessing that having the two protocols, because they are expanded, is the root cause -- it inteferes with correct stateful processing.

SSH does not use UDP, so you can eliminate the problem by removing UDP from the rule.
Reply With Quote
  #5   (View Single Post)  
Old 21st October 2011
Daffy Daffy is offline
Fdisk Soldier
 
Join Date: Jun 2010
Posts: 73
Thanked 0 Times in 0 Posts
Default

I see what you mean.

As always, thank you.
Reply With Quote
Reply

Tags
bruteforce, of.conf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
why won't my table work? tomp OpenBSD Security 3 25th August 2011 12:23 PM
static ip's not showing up in routing table birdmansdomain OpenBSD General 4 27th November 2009 12:57 AM
I think I just mangled my partition table Mantazz FreeBSD Installation and Upgrading 2 2nd July 2009 09:55 PM
table formatting (could not find better title) gosha Programming 10 19th March 2009 06:33 PM
Ajax dynamic table/spreadsheet robbak Programming 1 7th June 2008 10:33 PM


All times are GMT. The time now is 04:39 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick