DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th August 2008
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Default pf.conf brute force rule

When I added the rule below it locked me out what is wrong with it

Code:
pass quick proto { tcp, udp } from any to any port $brute_block keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
pf.conf
Code:
# Macros: define common values, so they can be referenced and changed easily.
ext_if="rl0"
tcp_services = "{ domain, www, https, 10000 }"
udp_services = "{ domain }"
brute_block = "{ ssh, 10000 }"

# Tables
table <sshadmins> persist file "/etc/sshallow"
table <bruteforce> persist file "/etc/brufeforce"


# Set Optimizations:
set loginterface $ext_if

set skip on lo0

# Normalization / scrubbing
scrub in all

antispoof quick for { lo0 $ext_if }

block all
block quick from <bruteforce>

pass proto udp to any port $udp_services
pass proto tcp from any to self port $tcp_services
pass in on $ext_if inet proto icmp all icmp-type 8
# Allow access to sshd. 
pass in on $ext_if proto tcp from <sshadmins> to self port ssh

# brute force blocking
pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5
Reply With Quote
  #2   (View Single Post)  
Old 8th August 2008
ddekok ddekok is offline
Port Guard
 
Join Date: May 2008
Posts: 38
Default

You ended up in the bruteforce table.

What you should have is

Code:
...
block all
pass quick from <sshadmins>
block quick from <bruteforce>
...
This will allow the sshadmins in even if they end up in the bruteforce table.

Something else you should look into is expiretable (/usr/ports/security/expiretable) to clean out entries that are older than a specified amount of time. That way, if you do get banned you only have to wait so long before you can get in again. I have expiretable cleaning out entries after 30 minutes.

Last edited by ddekok; 8th August 2008 at 09:44 PM. Reason: corrected table name
Reply With Quote
  #3   (View Single Post)  
Old 9th August 2008
ijk ijk is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 47
Default

yes it must have been the case.
But I did not try to brute force my way in as I know the access passwords

Would this max-src-conn 15 and me trying to access webmin cause a lock out as it would have taken me only one attempt to log in.

How many max-src-conn [i.e connections] does a web page like webmin generate.

cheers
__________________
Freebsd 7 64 bit apache2.2 php5 mysql5
Reply With Quote
  #4   (View Single Post)  
Old 10th August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default

This may help, http://johan.fredin.info/openbsd/blo...ruteforce.html
Reply With Quote
  #5   (View Single Post)  
Old 10th August 2008
ddekok ddekok is offline
Port Guard
 
Join Date: May 2008
Posts: 38
Default

Quote:
Originally Posted by ijk View Post
yes it must have been the case.
But I did not try to brute force my way in as I know the access passwords

Would this max-src-conn 15 and me trying to access webmin cause a lock out as it would have taken me only one attempt to log in.

How many max-src-conn [i.e connections] does a web page like webmin generate.

cheers
I don't know anything about webmin, however, my money is on the max-src-conn-rate that got you banned.

Say you have "max-src-conn-rate 3/5", that means that if there are 3 (or more) connections made over a 5 second period, that address gets put into the bruteforce table.
Reply With Quote
  #6   (View Single Post)  
Old 10th August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default any

"pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)"

Someone correct me if I'm wrong on this. Doesn't the second "any" in the rule above include all ports?

Why not just change the ssh port and drop all attempts to connect to 22.
Reply With Quote
  #7   (View Single Post)  
Old 11th August 2008
s0xxx's Avatar
s0xxx s0xxx is offline
Package Pilot
 
Join Date: May 2008
Posts: 192
Default

Quote:
Originally Posted by hunteronline View Post
"pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)"

Someone correct me if I'm wrong on this. Doesn't the second "any" in the rule above include all ports?
No, it simply means "from any address to any address". Port is ssh, as mentioned in the rule. Check hosts part in GRAMMAR section of pf.conf(5):

http://www.freebsd.org/cgi/man.cgi?q...t=html#GRAMMAR
__________________
The best way to learn UNIX is to play with it, and the harder you play, the more you learn.
If you play hard enough, you'll break something for sure, and having to fix a badly broken system is arguably the fastest way of all to learn. -Michael Lucas, AbsoluteBSD
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh brute force attacks sniper007 FreeBSD Security 21 12th June 2011 01:28 AM
pf: why is that rule not working? ivanatora FreeBSD General 14 11th December 2008 09:32 AM
pf.conf lumiwa FreeBSD Security 11 20th September 2008 01:01 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
rc.conf questions starbuck FreeBSD General 2 29th July 2008 06:16 PM


All times are GMT. The time now is 04:41 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick