On Sat, 2009-12-19 at 06:05 -0600, Justin Krejci wrote:
> While also not what the OP specifically requested but a good option to
> consider in general is to use the overload option to allow PF to dynamically
> add abusing IPs to a table which is then blocked from ssh access. This is
> more for frequent TCP connections on port 22 (or any other) for brute force
> type activity. This is similar to but not the same as the fail2ban type
> scripts.
>
> I get about 5-10 IP's added to my block table every day which is cleared
> daily via cron.
>
Yes, that is a good option but it is not the purpose of the discussion.
He wants to have the ssh port closed and open the ports in a "dynamic"
way. His approach to do that with a dns resolution is not the right
approach to solve the issue. Port Knocking is, by far, the best option
to do that. The problem here is...there is no port knocking support in
OpenBSD then the only solution he has in hands is authpf + bruteforce
tables "to defend" itself from the offenders....which, again, is not the
best approach to solve his problem.
Regards,
Alvaro
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On Behalf Of
> Alvaro Mantilla Gimenez
> Sent: Friday, December 18, 2009 5:31 PM
> To: Karl O. Pinc
> Cc: [email protected]
> Subject: Re: Restricting source with dDNS (dynamic DNS)
>
>
>
> El 18/12/2009, a las 12:20, "Karl O. Pinc" <[email protected]> escribió:
>
> > On 12/18/2009 10:16:44 AM, Peter N. M. Hansteen wrote:
> >> Jim Flowers <[email protected]> writes:
> >>
> >>> To lock down services (particularly ssh) as tightly as possible, I
> >> like to allow
> >>> administrative access to a firewall only from specific ip
> >> addresses.
> >
> >>> Unfortunately, some of the administrators are working from dynamic
> >> ip addresses
> >>> that change with some frequency.
> >>>
> >>> Is there a straightforward way to incorporate dynamic ip source
> >> addresses in the
> >>> pf ruleset?
> >>
> >> I'd say this sounds like a situation where authpf could come in quite
> >> handy.
> >
> > How? I thought authpf grants additional rights to those who
> > can ssh. But he wants to restrict those allowed to ssh period.
> >
> >
>
> If I remember well, sometime ago somebody did a port knocking program
> and he asked in the OpenBSD misc list about to include it into the
> ports tree. He had very bad responses and a very ugly discussion. All
> the people involved into the discussion ( I wasn't ) didn't understood
> special cases like this: if you want to "close" ssh access from the
> world and let some people open ports for administration, maintenance,
> or whatever you want then authpf is not a solution but port knocking
> is. Google about that and you see your solution there. You can, for
> example, define a port combination to execute some script to send you
> a sms with the status of one specifical service and/or another to
> open, for the IP which is doing the combination (of course), the
> redirection port to the SWAT (samba web administration) in one
> specifical server so you can define different port combinations for
> different groups of users...
>
> Google it.
>
> Regards,
>
> Alvaro
