Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th December 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,911
Default Using divert(4) to reduce attacks

Those of us with exposed services are under constant attack. We are constantly probed by port scans, and subject to a variety of brute force and dictionary attacks.

PF's stateful processing options such as max-src-conn-rate can help us mitigate the effects of rapid attacks ... but many are now distributed, and not trapped by PF stateful processing. Peter N.M. Hansteen has written extensively about these Hail Mary Cloud attacks -- his most recent presentation is here.

Is there a way to stop these attacks? I have disabled password authentications, but I would rather keep these attacks out of my networks if I can. They consume bandwidth, and resources, even if they are never successful.


I decided to integrate the Composite Blocking List (CBL) with PF to block incoming SSH sessions dynamically.


The CBL is one of the many public DNS blocking list services, now operated in concert with SpamHaus. It is an interesting list, because it contains IP addresses used in all sorts of attacks, not just addresses used as spam sources. Through support by SpamHaus' XBL mirrors, more than 100 nameservers globally provide rapid responses to CBL address queries via DNS.
If you're unfamiliar with DNS Block Lists (DNSBLs), they return either an NXDOMAIN DNS response to a query for an address not in their database, or, they return a synthetic IP address in the loopback block (127/8) if the address is listed. The specific address returned may provide the querying application with additional information. Querying applications can use the information in an antispam score, or to block the address, or take other action.

The test address is the only static address in the CBL. You can test it with host(1). Don't forget to reverse the order of the IP address octets.

$ host

or, as recommended (due to extensive mirroring by SpamHaus)

$ host

If you use a Google's public nameserver, or other 3rd party nameservers, your test may fail. If so, use one of your ISP's nameservers:

$ host a.b.c.d
Looking to see if someone had already written a program exploiting divert(4), I discovered dnsbl-divert, a component of Echothrust Solutions' open development project pf-diverters. While not considered production-ready by its developers, I have made some minor modifications and placed it in production on my bastion ssh server, and it is testing incoming SSH connections against the SpamHaus XBL, reinserting packets when they are not in the list, and dropping them when they are.

Here's the pf.conf fragment on the SSH server. There are three tables. <abuse> is my standard table used for abusers of stateful tracking options, <cbl> is a list of addresses found to be in the DNSBL, and <cbl_tested> is a list of all addresses tested. I do not test private adresses (10/8) as they are not on the Internet and would return NXDOMAIN responses anyway. All external addresses that have not previously been tested are diverted to the userland application, which is listening on divert socket 800. It will add the address to the <cbl_tested> table, and then reinsert the packet if the address is not found in the CBL. If it is found, the address will be added to the <cbl> table and the packet will be dropped.
table <cbl> counters persist
table <cbl_tested> counters persist
table <abuse> counters persist
block quick from {<cbl> <abuse>} 
pass in log quick proto tcp from 10/8 to any port ssh 
pass in log quick proto tcp from !<cbl_tested> to any port ssh divert-packet port 800 no state
pass in log proto tcp from any to any port ssh synproxy state \
        (pflow max-src-conn-rate 3 / 30 overload <abuse> flush global)
The dnsbl-divert program is a running daemon (currently started via rc.local(8)) that reports results of each test via syslog(3).

I am currently allowing addresses to expire from all three tables via /etc/daily.local, see daily(8).
echo "expiring after one week:"
echo "<abuse>" `pfctl -t abuse -T show | wc -l` records ; pfctl -t abuse -T expire 604800
echo "<cbl>" `pfctl -t cbl -T show | wc -l` records ; pfctl -t cbl -T expire 604800
echo "expiring after two days:"
echo "<cbl_tested>" `pfctl -t cbl_tested -T show | wc -l` records ; pfctl -t cbl_tested -T expire 172800

Last edited by jggimi; 24th December 2014 at 08:02 PM. Reason: clarity
Reply With Quote
  #2   (View Single Post)  
Old 25th December 2014
gkbsd's Avatar
gkbsd gkbsd is offline
Port Guard
Join Date: Jun 2013
Posts: 23

Very interesting, thanks for sharing

Reply With Quote
  #3   (View Single Post)  
Old 30th December 2014
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
Join Date: Apr 2008
Location: Indonesia
Posts: 2,218

One (potential) problem might be if you yourself end up in this blocklist for whatever reason (such as sending spam). You might find yourself unable to login to this machine, and need to find a different IP to login from (removal from these lists can take a while).

For this reason, I would modify the rules to include something along the lines of:


pass in log quick proto tcp from $trusted to any port ssh
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #4   (View Single Post)  
Old 30th December 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,911

Thank you, you are correct that I could have clients at some NATted IP address that is in the CBL. But while this specific recommendation may be valuable for others, I would not deploy it as you indicate: by specific IP address. To quote naddy@, "Neither IP nor MAC address reliably authenticate a machine."

When I have a need to trust IP addresses I do not control, I use IPSec for authentication. I can pass quick such IPSec traffic so incoming Syn packets are not diverted to the CBL test.

However, in this particular use-case, I do not have IPSec deployed, as all my trusted addresses reside in 10/8. Your advice could be applied, should it become necessary, with IPSec. I would set up an IPSec flow and PF rules to enable authenticated access from NATted addresses that are in the CBL.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
attacks are not being added to the pf table Daffy OpenBSD Security 4 21st October 2011 04:03 PM
Brute force attacks Dr-D OpenBSD Security 1 18th July 2011 04:06 PM
ssh brute force attacks sniper007 FreeBSD Security 21 12th June 2011 01:28 AM
pf.conf and some questions about brute attacks Daffy OpenBSD Security 10 27th March 2011 08:38 AM
attacks DDoS Sam OpenBSD Security 6 18th December 2009 12:07 AM

All times are GMT. The time now is 08:29 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick