DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd February 2009
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Thanked 0 Times in 0 Posts
Default pf flush persist file

Have a file which stores brute force ipaddresses in .

table <brute> persist file "/pathto/brutelist"

the persist file that is brutelist has grown in size.
I would like to periodically flush all entires using a cron job how do i do it.

The commands below donot work

Code:
pfctl -t brute -T flush
pfctl -t /pathto/brutelist -T flush
pfctl -t bruteforce -T expire 86400
the file brutelist remains unchanged. As the above commands delete entires in the pf table but not from the persist file.

how do i periodically flush the persist file.

thanks
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5
Reply With Quote
  #2   (View Single Post)  
Old 3rd February 2009
loop loop is offline
New User
 
Join Date: May 2008
Posts: 1
Thanked 0 Times in 0 Posts
Default

You can use the expiretable port (/usr/ports/security/expiretable) to flush the table of entries older than a certain time:

Code:
# Every 5 minutes, clean out the bruteforce pf table of entries older than 1 hour
*/5    *       *       *       *       root    /usr/local/sbin/expiretable -t 3600 ssh-bruteforce
Reply With Quote
  #3   (View Single Post)  
Old 3rd February 2009
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Thanked 0 Times in 0 Posts
Default persist file

thank you for the reply.

Yes that would flush the entires in the table specified but the entires in the actual persist file remain.

Code:
do i just run an unix command to delete
*/5    *       *       *       *       root    rm "/pathto/brutelist"
does the brutelist file get recreated automatically.
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5
Reply With Quote
  #4   (View Single Post)  
Old 3rd February 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Code:
cp /dev/null /path/to/brutelist && /sbin/pfctl -t brute -T replace -f /path/to/brutelist
Reply With Quote
  #5   (View Single Post)  
Old 3rd February 2009
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Thanked 0 Times in 0 Posts
Default two lists

thank you for the help.

Thinking aloud here.

In my pf.conf i have
Code:
table <brute> persist file "/patho/brutelist"
Also run the below cron job every hour
Code:
/sbin/pfctl -t brute -T show >> /pathto/brutelist
If I delete file brutelist say every 3 days does the above cronjob recreate the persist file. I think probably not but want to clarify.

the command below
Code:
/sbin/pfctl -t brute -T replace -f /path/to/brutelist
will replace the in-memory table contents with the file data.
I want the ipaddresses in the table memory effective. As these will be of the most recent attacks. All I want to do is flush all data in the persist file and remove it from the table memory as well. But leave the recent table memory untouched.
Is this possible ?


Also do I really need a persist file. As say I could just run
Code:
pfctl -t brute -T expire 86400
and expire the tables every 24 hours. is there any real advantage with a persist file apart from being able to see the ipaddresses trying to bruteforce their way in.
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5
Reply With Quote
  #6   (View Single Post)  
Old 3rd February 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

You don't really need the file on disk. The only reason you would want that is the reason why I dump the table contents to disk every hour: in case of a crash or a reboot, I use the persist file to re-populate the table (so, at boot-time, I run something like '/sbin/pfctl -t brute -T replace -f /path/to/brutelist', which will populate the table with the entries of the last backup.

Having a file on disk is not a necessity if you don't mind starting with an empty table after a reboot.

Mind: using 'expire 86400' will clear the entries that are > 24h old. All entries that are < 24h will remain untouched. You will normally run that command every hour, not once a day.

Last edited by DutchDaemon; 3rd February 2009 at 01:46 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PHP read file contents - Maximum file size cksraj Programming 1 21st September 2009 11:38 AM
File system at more than 100% michaelrmgreen FreeBSD General 4 28th July 2008 01:52 PM
file:/// mfaridi FreeBSD Security 3 27th July 2008 02:18 PM
How to get NAT log file on FreeBSD ? chamnanpol FreeBSD General 1 17th June 2008 11:49 PM
flush natd rules nenduvel FreeBSD Security 1 3rd May 2008 08:59 PM


All times are GMT. The time now is 06:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick