Re: Security blocking question

Fri, 16 Oct 2009 00:30:49 -0700 

Aflatoon Aflatooni wrote:
Is there a way that I could configure the server so that if there are for
example X attempts from an IP address then for the next Y hours all the SSH requests would be ignored from that IP address? There are only a handful of people who have access to that server. 

Yes.

In pf.conf:

table persist

[...]


block drop in log quick on $ext_if from 


[...]

pass in on $ext_if proto tcp      \
    from any to $ext_if port ssh \
    flags S/SA keep state        \
    (max-src-conn-rate 3/30, overload flush global)


plus you'll need to add a cron job to clear old entries out of the 
ssh-bruteforce

table after a suitable amount of time has passed.  Use expiretable to do

that.  Note: in practice I've found that it's a *really good idea* to implement 
a SSH whitelist of addresses that will never be bruteforce blocked like this -- 
it's very easy to lock yourself out even if everything you're doing is entirely 
legitimate.  Coding that is left as an exercise for the reader.





What is the best way of testing the PF rule? Is there a quick way to mimic a brute force? 
Is there a way that I could review the content of the table through pfctl -s all


To test, you need access to a machine not in your whitelist from where you
can try ssh'ing into the protected machine several times in rapid sequence.
3 times in 30s sounds quite fast, but it is actually not to hard to achieve
accidentally, especially if you use tools like rsync over SSH transport.  You
should have a login concurrently from some other IP or on the console, otherwise
you will lock yourself out.

To see what IPs have been added to the ssh-bruteforce table and when and what
traffic has been blocked:

  # pfctl -vv -t ssh-bruteforce -T show

To manually delete an IP from the ssh-bruteforce table:

  # pfctl -t ssh-bruteforce -T delete 12.34.56.78

As noted elsewhere in this thread, instead of using expiretable, you can run 
this
out of cron to expire addresses over a day old from the ssh-bruteforce 
blocklist:

  # pfctl -t ssh-bruteforce -T expire 86400

The pfctl(8) man page is pretty illuminating.

        Cheers,

        Matthew

PS.  Got to love the way that HTML-ising e-mail has deleted the table name
from the examples above.  I hope you could actually read it unmunged. Plain
text rools!

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW




Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to