|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
pf.conf and some questions about brute attacks
As I'm discovering my way through pf while reading the book "The book of PF", I have some questions and need a little help. First of all, I want to be able to configure pf to stop the brute force attacks. So, let's go to pf.conf as the book gives in the example.
First I have to create a table with Code:
table <bruteforce> persist file "etc/bruteforce" After that, we're creating the rule Code:
block quick from <bruteforce> What I don't understand, is the following: Code:
pass inet proto tcp to $localnet port $tcp_services \ keep state (max-src-conn 100, max-src-conn-rate 15/5, \ overload <bruteforce> flush global) - in the case I want to transfer files from outside the local network (for example I'll say 150 small text files.not a chance, but for the sake of the question), I must configure the max-conn-rate, or every file counts as a new connection (and therefore I have to modify the max-src-conn?) |
|
|||
The inet/inet6 parameter is used to distinguish between IPv4 and IPv6, it is not in place of in/out.
Just a reminder, if you're using the latest version of OpenBSD/pf, you'll need the second edition of The Book of PF. |
|
|||
Quote:
Quote:
Do you ( or anyone else) find those rules ok? I know I may seem a little hasty but seeing all those log entries somehow scares me. |
|
|||
If you want someone to review your ruleset, you should post the entire file in [code][/code] blocks, as an attachment, or hosted on personal webspace.
Be advised that it may take time for someone to respond, but there are a few PF experts on the forums who seem to enjoy tackling overly complicated rulesets. |
|
|||
So it's time for me to post my first pf.conf and hope it's not a complete fail :
Code:
# macros defined int_if="ale0" localnet = $int_if:network tcp_services = "{ ssh, 62222, www }" udp_services = "{ ssh, 62222, www }" # tables table <bruteforce> persist file "/etc/bruteforce" # block rules block all block quick from <bruteforce> # pass rules pass inet proto tcp to $localnet port $tcp_services \ keep state (max-src-conn 100, max-src-conn-rate 20/5, \ overload <bruteforce> flush global) - is this going to work? I expect to be able to do simple browsing, be able to ssh to this machine (main desktop) and keep port 62222 open (for transmission). So as far as I can tell, in the macros ssh is port 22, www is port 80 and 62222 is... well, 62222. - the macro "localnet = $int_if:network", is used to filter my traffic and the traffic from other pcs connected to my desktop? Those are the questions that come to my mind for now. Back to reading and I'll be coming with more. Thank you. |
|
|||
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
Here is my complete pf.conf again. Thank you very much for your help. Can you find more mistakes? For now, it seems to work fine with browsing but the port 62222 for transmission seems closed. Why is this happening? Code:
# macros defined int_if="ale0" localnet = $int_if:network tcp_services = "{ ssh, 62222, www }" udp_services = "{ ssh, 62222, www }" # tables table <bruteforce> persist file "/etc/bruteforce" # options set loginterface $int_if # block rules block log all block quick from <bruteforce> # pass rules pass inet proto tcp to $localnet port $tcp_services \ keep state (max-src-conn 100, max-src-conn-rate 20/5, \ overload <bruteforce> flush global) pass out all [edit]: also, before pass out all, do I need to add the rule Code:
pass inet proto udp to $localnet port $udp_services p.s. I was never been so excited with an os again... Last edited by Daffy; 25th March 2011 at 09:51 AM. Reason: add |
|
|||
The book is a gentle introduction to pf. The details about set loginterface and why it is useful, can be found in the pf.conf(5) manual page.
If you follow my advice, you will see the blocked packets, the protocol (tcp or udp) and the port number in the tcpdump on pflog0 xterm. If you don't want pf to block this type of packets, then you have all the information to create an additional rule that will allow this kind of traffic. Instead of giving hungry Daffy a fish, I am just trying to teach how to fish by yourself
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
After all, I'm already able to do everything I did with other operating systems with OpenBSD and I'm happy. It completely took over my Desktop. Quote:
The part with the "fish" was the best. |
|
|||
Everything seems to work perfect now. I modified even more my pf.conf file, mainly the "max-src-conn" and "max-src-conn-rate" numbers to get the desired results but I ran into another question.
I blocked an attacker with the ip 77.xx.xx.x and I saw the ip at the bruteforce table with Code:
>sudo pfctl -t bruteforce -T show 77.xx.xx.x Code:
>sudo pfctl -f /etc/pf.conf Code:
table <bruteforce> persist file "/etc/bruteforce" for anyone else having trouble figuring this out (if my way is wrong, please correct me) I found the way to save entries with Code:
sudo pfctl -t bruteforce -T show >/etc/bruteforce Code:
ksh: cannot create /etc/bruteforce: Permission denied Code:
sudo chmod g+w bruteforce I hope not so bad for a complete newbie. Last edited by Daffy; 26th March 2011 at 11:29 PM. |
|
|||
Don't do that
Code:
table <bruteforce> persist file "/etc/bruteforce" No. Make it /var/db/bruteforce or use /var/pf/ after you make the /var/pf dir. |
Tags |
bruteforce, pf, pf.conf |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ssh brute force attacks | sniper007 | FreeBSD Security | 21 | 12th June 2011 01:28 AM |
attacks DDoS | Sam | OpenBSD Security | 6 | 18th December 2009 12:07 AM |
some login.conf questions | gosha | OpenBSD General | 2 | 5th July 2009 12:43 PM |
pf.conf brute force rule | ijk | FreeBSD Security | 6 | 11th August 2008 04:54 PM |
rc.conf questions | starbuck | FreeBSD General | 2 | 29th July 2008 06:16 PM |