Re: auto-adding bad hosts to a table
Daniel Ouellet wrote: Ray Lai wrote: I thought you meant you could do something like: block in log-table zombie to port 25 where zombie is updated automatically. If you read on the PF and look at what I send you, you will see that bad-ssh IS updated automatically. That's what the line: (max-src-conn-rate 5/30, overload bad_ssh flush global) does. After 5 connection in 30 seconds, the IP address is put automatically into the table bad_ssh and flush global remove any state in the PF table. Just adjust the max-src-conn-rate 5/30 for what you want. Hope this make it more clear. Side note: It's possible to have more than one rule, to approximate a curve of sorts. I have the following rules on my router: pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA modulate state \ ( max-src-conn-rate 5/30, overload denied-hosts flush global ) pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA modulate state \ ( max-src-conn-rate 8/60, overload denied-hosts flush global ) The second catches the slightly slower scans that may skirt by the first rule. The curve for such scans can be approximated by as many of these rules as necessary, though I've found that just the two seems to work fine for me. I have performed only the most cursory inspection of the code and therefore am not entirely qualified to comment, but believe that it ought not be prohibitively difficult to allow the construction of a list of such rates within a single rule for optimization purposes and/or easier readability of the configuration file, e.g. pass in on $ext_if proto tcp from any to ($ext_if) port ssh \ flags S/SA modulate state \ ( max-src-conn-rate { 5/30, 8/60, ... }, \ overload denied-hosts flush global ) ... with the table portion being an implicit or of those rates (5 in 30 OR 8 in 60 OR ...). I see a relatively small number of functions and structures that would need to be changed, in net/pf.c and net/pfvar.h mostly (change of pf_threshold structures to permit multiple count/time/limit triads and logic to update them) with a wee bit of spanking for the parser to get it to understand the table specification for rate curves in addition to the current limit/time specification. (Perhaps a new curve data structure, to go along with the table structures? That seems to have some interesting implications for some pf knobs used in certain places for queueing, timeout settings, and so forth.) Again, I am speaking ex ano, and expect (rightly) to be ignored until I can produce a patch; I merely bring it up for comment. This behavior can, as noted, be approximated with the current state of pf. -- (c) 2005 Unscathed Haze via Central Plexus [EMAIL PROTECTED] I am Chaos. I am alive, and I tell you that you are Free. -Eris Big Brother is watching you. Learn to become Invisible. | Your message must be this wide to ride the Internet. |
Re: auto-adding bad hosts to a table
On Wednesday 22 February 2006 16:48, Daniel Ouellet wrote: If you read on the PF and look at what I send you, you will see that bad-ssh IS updated automatically. That's what the line: (max-src-conn-rate 5/30, overload bad_ssh flush global) does. After 5 connection in 30 seconds, the IP address is put automatically into the table bad_ssh and flush global remove any state in the PF table. Just adjust the max-src-conn-rate 5/30 for what you want. But with max-src-conn-rate aren't you actually allowing connections? The first I want to do is block connections, not allow them. Will use of max-src-conn-rate work with a block? With attempted connections that never get allowed? Chris
Re: auto-adding bad hosts to a table
On Wednesday 22 February 2006 15:37, Ray Lai wrote: Do ``block in log on port 25'' and listen to pflog0 to add bad hosts. Bit of a openBSD n00b here. How would I go about listening to pflog0? I thought that required tcpdump running. What I want it running continuously on a small, dedicated firewall box (concerned about processing power as well as security)? Chris
Re: auto-adding bad hosts to a table
On Wednesday 22 February 2006 16:19, Stuart Henderson wrote: recent (preferably -current/snapshot ports) smtp-vilter handles this quite nicely. Thanks but it's probably not a solution in this case. I'm not that experienced with openBSD but I'm a bit leery about running -current on a dedicated firewall/router (or maintaining a -current installation otherwise). Also it isn't the mail server which is a Linux box running Postfix. Was hoping for a pure pf solution. Chris
Re: auto-adding bad hosts to a table
* Chris Smith [EMAIL PROTECTED] [2006-02-23 09:34]: On Wednesday 22 February 2006 15:37, Ray Lai wrote: Do ``block in log on port 25'' and listen to pflog0 to add bad hosts. Bit of a openBSD n00b here. How would I go about listening to pflog0? I thought that required tcpdump running. What I want it running continuously on a small, dedicated firewall box (concerned about processing power as well as security)? Chris man pflog If you have ADD and can't read the whole thing man pflog | grep tcpdump
Re: auto-adding bad hosts to a table
Chris Smith wrote: But with max-src-conn-rate aren't you actually allowing connections? The first I want to do is block connections, not allow them. Will use of max-src-conn-rate work with a block? With attempted connections that never get allowed? A block rule will just block all connections. That's easy: block in on $if proto tcp from any to ($if) port ssh Done. No SSH traffic is gonna get through that, that's fer-damned- sure. (I'll demonstrate first with my own SSH-scanner rule, that being what I have at hand to work with. Your requirements will be covered below.) However, if you want to trigger on something, you need to use a pass rule first, to let those connections in: pass in on $if proto tcp from any to ($if) port ssh \ EXCEPT for those originating from those thrice-damned SSH spam-scanners (may their souls be rent with iron claws in the sulfur-pits of Gehenna) which you want to consign to the Outer Darkness; we discover these after their fifth (or third, or eighth, or however many-th) connection attempt in a specified timeframe (here, 30 seconds), which is not normal behavior for SSH: ( max-src-conn-rate 5/30, \ ... and when that is triggered, you want to not only add them to the Outer Darkness table, which you block with an earlier rule in pf.conf: overload OuterDarknessTable \ (referencing previous rule: block in quick on $if from OuterDarknessTable to any) ... you want to flush all states associated with that IP, preventing it from using a previously-established connection for any nastiness: flush \ ... and you want that to apply to states generated from any rule, to boot: global ) Think of that max-src-conn-rate as an exception: Pass these in, BUT, if the connection meets this criteria (#conns/time), add it to this table and purge all states containing this address. That is necessary for the triggering behavior of which you speak. For your purposes, I would *guess* that the following would work: pass in on $net_if proto tcp from ($internal_net) to (! $mailhost) \ port smtp \ ( max-src-conn-rate 1/60, overload InfectedTable, \ flush global ) with a corresponding rule: block in on $net_if from InfectedTable to any That should trigger the first time someone diddles an SMTP port that doesn't belong to your mailserver (the behavior you're looking for), chucking the unfortunate host onto a blacklist, which you are presumably checking on a periodic basis (cronjob perhaps, run once every minute or five, pfctl -t InfectedHosts -Tshow - that should mail you only if there is output of that command, i.e. if a host has been added to that table.) Caveat: these rules will have to be replicated for each internal network interface you have. Caveat #2: unless there's one network interface on your pf box for each host, the host will still be able to send traffic to anything on its segment. Restated: you will only be able to quarantine your network on a per-interface basis. Hope that helps! -- (c) 2005 Unscathed Haze via Central Plexus [EMAIL PROTECTED] I am Chaos. I am alive, and I tell you that you are Free. -Eris Big Brother is watching you. Learn to become Invisible. | Your message must be this wide to ride the Internet. |
Re: auto-adding bad hosts to a table
On Thursday 23 February 2006 11:40, Bob Beck wrote: Bit of a openBSD n00b here. How would I go about listening to pflog0? I thought that required tcpdump running. What I want it running continuously on a small, dedicated firewall box (concerned about processing power as well as security)? man pflog If you have ADD and can't read the whole thing man pflog | grep tcpdump I don't have ADD but apparently I don't spell all that correctly. So with the misspelled word What replaced with Would, parts of my previous post might make some more sense: --- How would I go about listening to pflog0? I thought that required tcpdump running. Would I want it running continuously on a small, dedicated firewall box (concerned about processing power as well as security)? --- IOW, from your experience, is tcpdump safe in this scenario and is it's overhead minimal? Thanks. Chris
Re: auto-adding bad hosts to a table
On 2006-02-23 12:07:03 -0500, Chris Smith wrote: --- How would I go about listening to pflog0? I http://www.openbsd.org/faq/pf/logging.html IOW, from your experience, is tcpdump safe in this scenario and is it's overhead minimal? Overhead of the FAQ solution is minimal here (DSL fw single host). But that depends on your traffic. Best Martin -- http://www.tm.oneiros.de
auto-adding bad hosts to a table
In addition to preventing infected PC's from using their own SMTP engine to send out spam by blocking port 25 from all but the mail server. I would also like to add those hosts automatically to a table in order to block their access altogether so that the infected PC's cannot attempt other damage. How can this be accomplished? Thanks. Chris
Re: auto-adding bad hosts to a table
Chris Smith wrote: In addition to preventing infected PC's from using their own SMTP engine to send out spam by blocking port 25 from all but the mail server. I would also like to add those hosts automatically to a table in order to block their access altogether so that the infected PC's cannot attempt other damage. How can this be accomplished? You can use PF for that. pass connection from any to your smtp server and block everything else to port 25 with log into a table. You also use that table to block all outgoing connections.
Re: auto-adding bad hosts to a table
On Wed, Feb 22, 2006 at 02:47:02PM -0500, Chris Smith wrote: In addition to preventing infected PC's from using their own SMTP engine to send out spam by blocking port 25 from all but the mail server. I would also like to add those hosts automatically to a table in order to block their access altogether so that the infected PC's cannot attempt other damage. How can this be accomplished? Do ``block in log on port 25'' and listen to pflog0 to add bad hosts. Basically the opposite of spamlogd(8). -Ray-
Re: auto-adding bad hosts to a table
On Wed, Feb 22, 2006 at 03:31:41PM -0500, Daniel Ouellet wrote: Chris Smith wrote: In addition to preventing infected PC's from using their own SMTP engine to send out spam by blocking port 25 from all but the mail server. I would also like to add those hosts automatically to a table in order to block their access altogether so that the infected PC's cannot attempt other damage. How can this be accomplished? You can use PF for that. pass connection from any to your smtp server and block everything else to port 25 with log into a table. You also use that table to block all outgoing connections. Can you really log into a table? I don't see anything in pf.conf(5) for that. -Ray-
Re: auto-adding bad hosts to a table
Ray Lai wrote: On Wed, Feb 22, 2006 at 03:31:41PM -0500, Daniel Ouellet wrote: Chris Smith wrote: In addition to preventing infected PC's from using their own SMTP engine to send out spam by blocking port 25 from all but the mail server. I would also like to add those hosts automatically to a table in order to block their access altogether so that the infected PC's cannot attempt other damage. How can this be accomplished? You can use PF for that. pass connection from any to your smtp server and block everything else to port 25 with log into a table. You also use that table to block all outgoing connections. Can you really log into a table? I don't see anything in pf.conf(5) for that. Why not? spamd use it and you can do many things. I use something like this for example to limit the connection to ssh. Just reverse it to limit connection to smtp instead. And then instead of blocking the users in the table to the port ssh only, block all. Just play with it, it's fun! (: I use different rules to trap various virus for example. Very efficient! snip # define macros for each network interface ext_if=fxp0 snip # Define some variable for clarity SSH_LIMIT=(max-src-conn-rate 5/30, overload bad_ssh flush global) snip # Table directive table bad_ssh persist file /var/log/bad_ssh snip # Allow quick valid traffic to ssh but log all attempts as well block return-rst log quick proto tcp from bad_ssh label ssh-pirate pass in log quick on $ext_if inet proto tcp from !bad_ssh \ to $ext_if port ssh flags S/SA keep state \ $SSH_LIMIT label ssh snip Then you add a cronjob to update your file /var/log/bad_ssh once a day or something in case you patch your box and reboot as to not loose the list. Or you can flush it every 24 hours as well, your choice really if you want to be more forgiving. Daniel
Re: auto-adding bad hosts to a table
On 2006/02/22 14:47, Chris Smith wrote: In addition to preventing infected PC's from using their own SMTP engine to send out spam by blocking port 25 from all but the mail server. I would also like to add those hosts automatically to a table in order to block their access altogether so that the infected PC's cannot attempt other damage. How can this be accomplished? recent (preferably -current/snapshot ports) smtp-vilter handles this quite nicely.
Re: auto-adding bad hosts to a table
On Wed, Feb 22, 2006 at 04:17:35PM -0500, Daniel Ouellet wrote: Ray Lai wrote: On Wed, Feb 22, 2006 at 03:31:41PM -0500, Daniel Ouellet wrote: Chris Smith wrote: In addition to preventing infected PC's from using their own SMTP engine to send out spam by blocking port 25 from all but the mail server. I would also like to add those hosts automatically to a table in order to block their access altogether so that the infected PC's cannot attempt other damage. How can this be accomplished? You can use PF for that. pass connection from any to your smtp server and block everything else to port 25 with log into a table. You also use that table to block all outgoing connections. Can you really log into a table? I don't see anything in pf.conf(5) for that. Why not? spamd use it and you can do many things. I use something like this for example to limit the connection to ssh. Just reverse it to limit connection to smtp instead. And then instead of blocking the users in the table to the port ssh only, block all. Just play with it, it's fun! (: I use different rules to trap various virus for example. Very efficient! snip # define macros for each network interface ext_if=fxp0 snip # Define some variable for clarity SSH_LIMIT=(max-src-conn-rate 5/30, overload bad_ssh flush global) snip # Table directive table bad_ssh persist file /var/log/bad_ssh snip # Allow quick valid traffic to ssh but log all attempts as well block return-rst log quick proto tcp from bad_ssh label ssh-pirate pass in log quick on $ext_if inet proto tcp from !bad_ssh \ to $ext_if port ssh flags S/SA keep state \ $SSH_LIMIT label ssh snip Then you add a cronjob to update your file /var/log/bad_ssh once a day or something in case you patch your box and reboot as to not loose the list. Or you can flush it every 24 hours as well, your choice really if you want to be more forgiving. I thought you meant you could do something like: block in log-table zombie to port 25 where zombie is updated automatically. -Ray-
Re: auto-adding bad hosts to a table
Ray Lai wrote: I thought you meant you could do something like: block in log-table zombie to port 25 where zombie is updated automatically. If you read on the PF and look at what I send you, you will see that bad-ssh IS updated automatically. That's what the line: (max-src-conn-rate 5/30, overload bad_ssh flush global) does. After 5 connection in 30 seconds, the IP address is put automatically into the table bad_ssh and flush global remove any state in the PF table. Just adjust the max-src-conn-rate 5/30 for what you want. Hope this make it more clear.
Re: auto-adding bad hosts to a table
Ray Lai wrote: I thought you meant you could do something like: block in log-table zombie to port 25 where zombie is updated automatically. Read this section and you will get a few good idea on log to table and then use the same table to block the traffic you don't want: http://openbsd.org/faq/pf/filter.html If you wisely, I think it is more efficient then other mean, plus it's in the base system and safe and secure to use and very fast as well.
Re: auto-adding bad hosts to a table
On Wed, Feb 22, 2006 at 04:48:19PM -0500, Daniel Ouellet wrote: Ray Lai wrote: I thought you meant you could do something like: block in log-table zombie to port 25 where zombie is updated automatically. If you read on the PF and look at what I send you, you will see that bad-ssh IS updated automatically. That's what the line: (max-src-conn-rate 5/30, overload bad_ssh flush global) does. After 5 connection in 30 seconds, the IP address is put automatically into the table bad_ssh and flush global remove any state in the PF table. Just adjust the max-src-conn-rate 5/30 for what you want. Hope this make it more clear. Ah, neat. -Ray-