Hello,
I have a simple firewall set up with OpenBSD 3.9 and have been playing
around with logging ssh login attempts to my DMZ server and banishing
IPs using max-src-conn -rate ...
block quick from <banish>
pass in log quick on $ext_if proto tcp from any to $dmz_ip port = ssh
flags S/SA
synproxy state (max-src-conn 10, max-src-conn-rate 3/10, overload
<banish> flush global)
Great fun.
My DMZ server IP is part of a very small cidr block (xxx.xxx.xxx.64 -
xxx.xxx.xxx.67) with .65 being the gateway address and .66 being the
externally visible address. What is interesting about this is that I
can see automated login attempts coming. The four addresses in my cidr
block will get scanned on port 22 or port 25 fairly regularly. Shortly
after the initial scan there will be ssh login or smtp relay attempts
on my external address. I also get keyword spam attempts (e.g.
[EMAIL PROTECTED], [EMAIL PROTECTED], etc.)
I'd like to be able to automatically load any IP address that scans
any of these 3 none active addresses on port 22 or port 25 to a table
to be blocked.
I tried setting it up like this:
table <cidr> const { xxx.xxx.xxx.64, xxx.xxx.xxx.65, xxx.xxx.xxx.67 }
block quick from <scanner>
pass in log quick on $ext_if proto tcp from any to <cidr> = ssh flags
S/SA
synproxy state (max-src-conn 1, max-src-conn-rate 1/1, overload
<scanner> flush global)
This doesn't work because the connections have to exceed the number
limits and pfctl won't let me set the limits to 0. Each address
usually gets scanned only once from a particular IP.
I gather it is possible to add IP addresses to a table using pfctl run
with a cron job based on what has been logged from pf. However, this
cron job would have to be run frequently to be any more effective than
the <banish> rule listed above.
I've been through the documentaion and this mailing list. Is there
another way to add IP addresses to a table directly using a rule in
pf.conf? I can see the little bastards coming and I'd like to cut them
off as quickly as possible.
Thanks!
