|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|
|||
Handling ssh login attempts with pf
Hello.
Since a couple of days my little router appearances a lot of connections to port 22 from a bunch of same hosts which my pf firewall correctly drops. How can I put those attemps automatically to a table "attackers"? I had something like the following in mind. Is that possible? Code:
table <attackers> persist block in quick on $EXT from <attackers> block in quick on $EXT from any to ($EXT:0) port 22 (max 1, overload <attackers> flush) |
|
|||
I use the following in my pf.conf, i do NOT use port 22 it saves mucho scans and logging dropped packets.
Code:
TCP_SVCS = "{ 32009 }" table <bruteforce> persist block drop log quick from { <bruteforce>, <noroute> } pass in log quick on { $EXT, $INT } inet proto tcp from ip.addr.allowed to { $EXT } port $TCP_SVCS flags S/SA modulate state (max-src-conn 10, max-src-conn-rate 3/10, overload <bruteforce> flush global) http://johan.fredin.info/openbsd/blo...ruteforce.html http://openbsd-wiki.org/index.php?title=PF_Examples
__________________
The more you learn, the more you realize how little you know .... Last edited by J65nko; 10th January 2010 at 07:24 PM. Reason: Added [noparse][code][/noparse] tags ;) |
|
|||
I have a similar rule in my pf.conf for port 80. Since ssh listens on another port than 22 (for safety reasons) I just simply want to make a similar rule but altogether with block instead of pass. So that everyone who tries connection to port 22 is being put on the table attackers automatically.
|
|
|||
Edit the rule accordingly and do not flush it at all? (verify this plz i am not certain), it will keep the table of offenders in PF. Something like this maybe helpful, i just typed this out, have not run in PF to test, feel free
table <offenders> persist block log quick on $EXT from any to port 22 (overload <offenders> flush global)
__________________
The more you learn, the more you realize how little you know .... |
|
|||
Does not work. I get a syntax error. However I was only able to use overload in conjunction with pass and keep state so far. Any other clues? Maybe there's another way? Maybe via match?
|
|
|||
Quote:
__________________
The more you learn, the more you realize how little you know .... |
|
|||
In the beginning of http://www.daemonforums.org/showthre...8994#post28994 I refer to a discussion on the FreeBSD mailing list. IIRC somebody posted a perl program to do something with the IP addresses of those SSH hammerers.
Some time ago I read an analysis of these SSH probes. There are two stages. In stage one, bots scans network blocks for open SSH ports 22. Then after distributing the addresses found, bots are starting to do these ssh login probes in the second stage. So simply moving your incoming SSH LISTEN port to something else than the default port 22, will usually save you from being probed in stage two. Previously a single bot, and thus a single IP address, probed several login names and passwords in a row. So in the past you could block multiple failed connection attempts from a single IP address. Nowadays a couple of coordinated bots each probe a single name/password . So now each individual probe use a different IP address. And because you don't want to automatically blacklist an IP address because of one failed login attempt, dealing with these idiots has becoming more challenging. How would you like it if gmail would block you for one single mistyped password? My tips:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Its not that I want to block them forever... I'd have added a rule to crontab that removes expired hosts after 1 day (pfctl -t bad_guys -T expire 3600). I'm seeing probes on other ports and simple icmp echo requests as well.
|
|
|||
An example of probes from June 2009 as posted on the FreeBSD questions mailing list:
Quote:
A more recent log from Dec 2009 Quote:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 10th January 2010 at 07:06 PM. Reason: Added newest probes from multiple machines |
|
|||
Quote:
Quote:
__________________
The more you learn, the more you realize how little you know .... |
|
|||
Quote:
Its quite true that the ssh probe behaviour has changed during the last months. But not with other ports (e.g. 5900). |
|
|||
Quote:
__________________
The more you learn, the more you realize how little you know .... |
Tags |
ssh brute force attack, ssh hammering, ssh login attempts, ssh probes |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
how to start X11 on login? | Mantazz | FreeBSD Ports and Packages | 2 | 10th July 2009 07:27 PM |
cannot login after installation | ccc | FreeBSD Installation and Upgrading | 3 | 28th October 2008 11:54 AM |
How can i login to my FreeBSD ?? | ceramic | FreeBSD Installation and Upgrading | 4 | 28th July 2008 11:56 AM |
How to set up ssh login | cssgalactic | FreeBSD General | 12 | 28th June 2008 06:00 PM |
DSL auto login | Weaseal | FreeBSD General | 3 | 17th June 2008 03:26 PM |