DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Installation and Upgrading

FreeBSD Installation and Upgrading Installing and upgrading FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th February 2009
DNAeon DNAeon is offline
Shell Scout
 
Join Date: Sep 2008
Location: Bulgaria
Posts: 138
Default Automaticaly block IPs with PF

Hi,

I frequently check my logs and there are always some ips that are trying to get access to my system using bruteforce or some other scripts. I have never needed a tool to examine my logs and report such attacks, cause I'm looking at my logs very frequently, but now when I won't have that opportunity ( I won't be at home for a certain time ), I'd like to use such a tool that examines the logs and blocks..

What I'm using right now is a table in PF that reads /etc/blocked_ips and blocks each ip listed in the file.
Code:
# --- block every ip from /etc/blocked_ips file ---
table <blocked_ips> persist file "/etc/blocked_ips"

# --- block every ip from /etc/blocked_ips file
block in log quick on $ext_if from <blocked_ips> to any
I'd like to use a script that examines for bad ssh logins (/var/log/auth), bad smtp attempts (/var/log/maillog), etc..

I want to ask you - what kind of automatic protection are you using? Some kind of a self-written scripts, or some ports that examines the logs and put the bad ips in file?

Thanks!
__________________
"I never think of the future. It comes soon enough." - A.E

Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org
Reply With Quote
  #2   (View Single Post)  
Old 18th February 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

I have several scripts hanging off of different syslog categories and logfiles, which are manipulating several pf tables on the fly, but there are tools like sysutils/grok as well.
Reply With Quote
  #3   (View Single Post)  
Old 18th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I use state table management (overload ... flush) in PF filter rules, in combination with a set of scripts.
Reply With Quote
  #4   (View Single Post)  
Old 18th February 2009
DNAeon DNAeon is offline
Shell Scout
 
Join Date: Sep 2008
Location: Bulgaria
Posts: 138
Default

Can you, please show me some of your custom protection scripts that you use with PF?
__________________
"I never think of the future. It comes soon enough." - A.E

Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org
Reply With Quote
  #5   (View Single Post)  
Old 18th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I'll post a few examples once I have access. I am behind a restrictive firewall at the moment.
Reply With Quote
  #6   (View Single Post)  
Old 18th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Here's an example of using overload...flush to block script kiddie ssh attacks. Any IP address who connects too often too quickly will have their state(s) killed, and they'll be added to the ssh-badguys table:
Code:
# Allow inbound ssh, block more than 3 connections in 30 seconds. 
#
pass in log on $external_nic proto tcp to any port ssh \
    keep state (max-src-conn-rate 3/30, \
    overload <ssh-badguys> flush global)
The ssh-badguys table is temporary. Here's a script that adds the IP address(es) from either the ssh-badguys or ftp-badguys tables into a single, large and permanent badguys table, updates a database with the IP address(es), date/time of the block and a reason for the block. The ftp-badguys table is no longer used, though, as I run a modified ftpd(8) instead, which drops connections from abusers so I don't need it unless I want to restart blocking them from all access. So far, these have all been script kiddies who have scripts that, without my mod, will loop forever attempting to log on to "Administrator":
Code:
#!/usr/bin/perl
# run by cron every 5 mins

# examine ssh-badguys table, if any records:
# 1) add to badguys
# 2) delete from ssh-badguys
# 3) update database

@ssh = `pfctl -t ssh-badguys -T show`;
foreach (@ssh) {
    my $ip = substr($_, 0, -1); # strip the newline char from the end
    system("pfctl -t badguys -T add $ip");
    system("pfctl -t ssh-badguys -T dele $ip");
    system("/root/blocked-add.pl $ip ssh cron");
    print "badguys: $ip added to table - ssh attack";
}

# examine ftp-badguys table, if any records:
# 1) add to badguys
# 2) delete from ftp-badguys
# 3) update database

@ftp = `pfctl -t ssh-badguys -T show`;
foreach (@ftp) {
    my $ip = substr($_, 0, -1); # strip the newline char from the end
    system("pfctl -t badguys -T add $ip");
    system("pfctl -t ftp-badguys -T dele $ip");
    system("/root/blocked-add.pl $ip ftp cron");
    print "badguys: $ip added to table - ftp attack";
}
Of course, shutting down the system requires putting the badguys table into a file for loading on reboot. Here's an excerpt from /etc/rc.shutdown:
Code:
# do a final update to badguys table, and then
# copy the badguys table to disk
#
# ---> if shutdown during single user, badguys may be 0 bytes.  Don't
# ---> overlay file if so.
#
pfctl -t badguys -T show > /tmp/badguys
test -s /tmp/badguys && /root/badguys.pl && \
    pfctl -t badguys -T show > /etc/badguys && \
    chmod 660 /etc/badguys
Lastly, I'd had trouble with ftpd(8), and used to have a cron job that monitored ftp console sessions, killing any states from IP addresses that exceeded some number of bytes in console sessions, and updating an ftp-badguys table.

I eventually decided that a patch to ftpd would solve my problem with less overhead, and submitted it to the tech@ mailing list. Part of it was accepted, but not the part that was actually useful -- dropping the connection -- so I run with this (-current) patch:
Code:
Index: ftpd.c
===================================================================
RCS file: /cvs/src/libexec/ftpd/ftpd.c,v
retrieving revision 1.185
diff -u -r1.185 ftpd.c
--- ftpd.c    30 Sep 2008 16:16:21 -0000    1.185
+++ ftpd.c    8 Oct 2008 01:30:51 -0000
@@ -825,7 +825,8 @@
         checkuser(_PATH_FTPCHROOT, name);
     if (anon_only && !dochroot) {
         reply(530, "User %s access denied.", name);
-        return;
+        dologout(0);
+        /* NOTREACHED */
     }
     if (pw) {
         if ((!shell && !dochroot) || checkuser(_PATH_FTPUSERS, name)) {

Last edited by jggimi; 18th February 2009 at 11:37 PM.
Reply With Quote
  #7   (View Single Post)  
Old 19th February 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I neglected to mention my patch to ftpd(8) was for OpenBSD; something similar could be worked up for FreeBSD's ftpd(8).
Reply With Quote
  #8   (View Single Post)  
Old 20th February 2009
glenbarber glenbarber is offline
Real Name: Glen Barber
/dev/urandom
 
Join Date: Nov 2008
Location: Philadelphia, PA, USA
Posts: 10
Default

I personally use security/sshguard-pf to automatically create tables of IP addresses to block.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
block spam milo974 OpenBSD Security 1 26th May 2009 11:30 AM
New tool on the block - scrypt s0xxx FreeBSD Security 2 21st May 2009 07:48 AM
Postfix: Block CIDR w/ whitelist?? biscuits FreeBSD Ports and Packages 1 9th February 2009 02:53 AM
Questions about Epiphany and block up popup aleunix OpenBSD Packages and Ports 0 14th June 2008 06:18 AM
BSD n00b needs to block incoming SQL on 3306 renolinux FreeBSD Security 5 27th May 2008 02:26 PM


All times are GMT. The time now is 05:01 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick