|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Handling ssh login attempts with pf
Hello.
Since a couple of days my little router appearances a lot of connections to port 22 from a bunch of same hosts which my pf firewall correctly drops. How can I put those attemps automatically to a table "attackers"? I had something like the following in mind. Is that possible? Code:
table <attackers> persist block in quick on $EXT from <attackers> block in quick on $EXT from any to ($EXT:0) port 22 (max 1, overload <attackers> flush) |
|
|||
I use the following in my pf.conf, i do NOT use port 22 it saves mucho scans and logging dropped packets.
Code:
TCP_SVCS = "{ 32009 }" table <bruteforce> persist block drop log quick from { <bruteforce>, <noroute> } pass in log quick on { $EXT, $INT } inet proto tcp from ip.addr.allowed to { $EXT } port $TCP_SVCS flags S/SA modulate state (max-src-conn 10, max-src-conn-rate 3/10, overload <bruteforce> flush global) http://johan.fredin.info/openbsd/blo...ruteforce.html http://openbsd-wiki.org/index.php?title=PF_Examples
__________________
The more you learn, the more you realize how little you know .... Last edited by J65nko; 10th January 2010 at 07:24 PM. Reason: Added [noparse][code][/noparse] tags ;) |
|
|||
I have a similar rule in my pf.conf for port 80. Since ssh listens on another port than 22 (for safety reasons) I just simply want to make a similar rule but altogether with block instead of pass. So that everyone who tries connection to port 22 is being put on the table attackers automatically.
|
|
|||
Edit the rule accordingly and do not flush it at all? (verify this plz i am not certain), it will keep the table of offenders in PF. Something like this maybe helpful, i just typed this out, have not run in PF to test, feel free
table <offenders> persist block log quick on $EXT from any to port 22 (overload <offenders> flush global)
__________________
The more you learn, the more you realize how little you know .... |
|
|||
Does not work. I get a syntax error. However I was only able to use overload in conjunction with pass and keep state so far. Any other clues? Maybe there's another way? Maybe via match?
|
|
|||
Quote:
__________________
The more you learn, the more you realize how little you know .... |
|
|||
I just tried adding something similar to what you are trying to accomplish to my firewall ruleset, it seems that creating the table, then blocking the table work fine, the rule to drop the traffic to port 22 and add that to a table was where i am stuck at as well.
I tried "block log quick on $EXT from any to port 22" with success, but could not seem to add anything after that (I tried "(max-src-conn 1, max-src-conn-rate 1/3, overload <port22bad> flush global)" ) and load PF properly. I am not certain if tables can be used with blocked rules (I don't see why not, but i found nothing on the PF FAQ or the @openbsd-pf mailling list concerning this). Perhaps a question for @openbsd-pf and the developers to answer, i will actually post as i am also considering something like this for my PF rules, not to make anything easier and take away from your learning.
__________________
The more you learn, the more you realize how little you know .... |
|
|||
Quote:
I'm not sure. But what does happen when I first do pass in port 22 (overload <table>) and then block in quick port 22 directly after (note the quick in the block rule)?? |
|
|||
Quote:
I posted to the PF mailing list, hope for a good answer.
__________________
The more you learn, the more you realize how little you know .... |
|
|||
If you want a bit of a trick to NOT have to subscribe to the lists, you can find out the email address per list at http://lists.openbsd.org, from there can find the list, find the email address and just email to it.
To check responses http://marc.info @ openbsd-pf is where they get posted (and nabble and some others too) and you can view the responses, then you can actually email yourself the response, and respond yet again to that. Of course @openbsd-pf is one of the few missing from the web GUI ...
__________________
The more you learn, the more you realize how little you know .... |
|
|||
I recieved a reply from Peter Hansteen himself which follows, I believe (as stated earlier) the "Block rules do not create state" is the problem on this.
Quote:
__________________
The more you learn, the more you realize how little you know .... |
|
|||
Thanks. Maybe sometime they will be adding this feature.
|
|
|||
In the beginning of http://www.daemonforums.org/showthre...8994#post28994 I refer to a discussion on the FreeBSD mailing list. IIRC somebody posted a perl program to do something with the IP addresses of those SSH hammerers.
Some time ago I read an analysis of these SSH probes. There are two stages. In stage one, bots scans network blocks for open SSH ports 22. Then after distributing the addresses found, bots are starting to do these ssh login probes in the second stage. So simply moving your incoming SSH LISTEN port to something else than the default port 22, will usually save you from being probed in stage two. Previously a single bot, and thus a single IP address, probed several login names and passwords in a row. So in the past you could block multiple failed connection attempts from a single IP address. Nowadays a couple of coordinated bots each probe a single name/password . So now each individual probe use a different IP address. And because you don't want to automatically blacklist an IP address because of one failed login attempt, dealing with these idiots has becoming more challenging. How would you like it if gmail would block you for one single mistyped password? My tips:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Its not that I want to block them forever... I'd have added a rule to crontab that removes expired hosts after 1 day (pfctl -t bad_guys -T expire 3600). I'm seeing probes on other ports and simple icmp echo requests as well.
|
|
|||
An example of probes from June 2009 as posted on the FreeBSD questions mailing list:
Quote:
A more recent log from Dec 2009 Quote:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 10th January 2010 at 07:06 PM. Reason: Added newest probes from multiple machines |
|
|||
Quote:
Quote:
__________________
The more you learn, the more you realize how little you know .... |
|
|||
Quote:
Its quite true that the ssh probe behaviour has changed during the last months. But not with other ports (e.g. 5900). |
|
|||
Quote:
__________________
The more you learn, the more you realize how little you know .... |
Tags |
ssh brute force attack, ssh hammering, ssh login attempts, ssh probes |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
how to start X11 on login? | Mantazz | FreeBSD Ports and Packages | 2 | 10th July 2009 07:27 PM |
cannot login after installation | ccc | FreeBSD Installation and Upgrading | 3 | 28th October 2008 11:54 AM |
How can i login to my FreeBSD ?? | ceramic | FreeBSD Installation and Upgrading | 4 | 28th July 2008 11:56 AM |
How to set up ssh login | cssgalactic | FreeBSD General | 12 | 28th June 2008 06:00 PM |
DSL auto login | Weaseal | FreeBSD General | 3 | 17th June 2008 03:26 PM |