Date: Fri, 15 Jun 2012 17:36:32 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: prabhpal@digital-infotech.net Cc: freebsd-stable@freebsd.org Subject: Re: PF to Preventing SMTP Brute Force Attacks Message-ID: <4FDB6490.8080509@infracaninophile.co.uk> In-Reply-To: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net> References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA9954C897EE469BFAD1BEC60 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 15/06/2012 17:17, Shiv. Nath wrote: > Hi FreeBSD Gurus, >=20 >=20 > i want to use PF to Preventing SMTP Brute Force Attacks. i need some he= lp > to understand correct syntax. >=20 > URL Explaining this: http://www.openbsd.org/faq/pf/filter.html#stateopt= s >=20 >=20 > i expect the following behavior from the PF rule below: >=20 > Limit the absolute maximum number of states that this rule can create t= o 200 >=20 > Enable source tracking; limit state creation based on states created by= > this rule only >=20 > Limit the maximum number of nodes that can simultaneously create state = to 100 >=20 > Limit the maximum number of simultaneous states per source IP to 3 >=20 > Solution: > int0=3D"em0" > trusted_tcp_ports=3D"{22,25,443,465}" >=20 > pass in on $int0 proto tcp from any to any port $trusted_tcp_ports keep= > state max 200, source-track rule, max-src-nodes 100, max-src-states 3 Limiting yourself to 200 states won't protect you very much -- you tend to get a whole series of attacks from the same IP, and that just uses one state at a time. Instead, look at the frequency with which an attacker tries to connect to you. Something like this: table <bruteforce> persist [...] block in log quick from <bruteforce> [...] pass in on $ext_if proto tcp \ from any to $ext_if port $trusted_tcp_ports \ flags S/SA keep state \ (max-src-conn-rate 3/300, overload <bruteforce> flush global) Plus you'll need a cron job like this to clean up the bruteforce table, otherwise it will just grow larger and larger: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null 2>= &1 The end result of this is that if one IP tries to connect to you more than 3 times in 5 minutes, they will get blacklisted. I normally use this just for ssh, so you might want to adjust the parameters appropriately. You should also implement a whitelist for IP ranges you control or use frequently and that will never be used for bruteforce attacks: it is quite easy to block yourself out with these sort of rules.= Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enigA9954C897EE469BFAD1BEC60 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/bZJYACgkQ8Mjk52CukIwsmACcDKqjaXNzgxENVCRg4VXAKNnL fFQAn3YWceKOTIa56Ak6jhQz/sbvnNlc =Q6/Z -----END PGP SIGNATURE----- --------------enigA9954C897EE469BFAD1BEC60--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FDB6490.8080509>