|
|||
pf.conf brute force rule
When I added the rule below it locked me out what is wrong with it
Code:
pass quick proto { tcp, udp } from any to any port $brute_block keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global) Code:
# Macros: define common values, so they can be referenced and changed easily. ext_if="rl0" tcp_services = "{ domain, www, https, 10000 }" udp_services = "{ domain }" brute_block = "{ ssh, 10000 }" # Tables table <sshadmins> persist file "/etc/sshallow" table <bruteforce> persist file "/etc/brufeforce" # Set Optimizations: set loginterface $ext_if set skip on lo0 # Normalization / scrubbing scrub in all antispoof quick for { lo0 $ext_if } block all block quick from <bruteforce> pass proto udp to any port $udp_services pass proto tcp from any to self port $tcp_services pass in on $ext_if inet proto icmp all icmp-type 8 # Allow access to sshd. pass in on $ext_if proto tcp from <sshadmins> to self port ssh # brute force blocking pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5 |
|
|||
You ended up in the bruteforce table.
What you should have is Code:
... block all pass quick from <sshadmins> block quick from <bruteforce> ... Something else you should look into is expiretable (/usr/ports/security/expiretable) to clean out entries that are older than a specified amount of time. That way, if you do get banned you only have to wait so long before you can get in again. I have expiretable cleaning out entries after 30 minutes. Last edited by ddekok; 8th August 2008 at 09:44 PM. Reason: corrected table name |
|
|||
yes it must have been the case.
But I did not try to brute force my way in as I know the access passwords Would this max-src-conn 15 and me trying to access webmin cause a lock out as it would have taken me only one attempt to log in. How many max-src-conn [i.e connections] does a web page like webmin generate. cheers
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5 |
|
|||
This may help, http://johan.fredin.info/openbsd/blo...ruteforce.html
|
|
|||
Quote:
Say you have "max-src-conn-rate 3/5", that means that if there are 3 (or more) connections made over a 5 second period, that address gets put into the bruteforce table. |
|
|||
any
"pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)"
Someone correct me if I'm wrong on this. Doesn't the second "any" in the rule above include all ports? Why not just change the ssh port and drop all attempts to connect to 22. |
|
||||
Quote:
http://www.freebsd.org/cgi/man.cgi?q...t=html#GRAMMAR
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn. If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
ssh brute force attacks | sniper007 | FreeBSD Security | 21 | 12th June 2011 01:28 AM |
pf: why is that rule not working? | ivanatora | FreeBSD General | 14 | 11th December 2008 09:32 AM |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |
rc.conf questions | starbuck | FreeBSD General | 2 | 29th July 2008 06:16 PM |