Date: Sun, 06 Dec 2009 14:18:21 +0100 From: olli hauer <ohauer@gmx.de> To: Nico De Dobbeleer <nico@elico-it.be> Cc: freebsd-pf@freebsd.org Subject: Re: Limit connections doens't work Message-ID: <4B1BAF1D.9070105@gmx.de> In-Reply-To: <6783768.102251260022192330.JavaMail.root@zimbra-store> References: <6783768.102251260022192330.JavaMail.root@zimbra-store>
next in thread | previous in thread | raw e-mail | index | archive | help
Nico De Dobbeleer wrote: > Hello, > > As most of the public ip's my servers are constantly under bruteforce attack see example: > > Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2 > Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226 > Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2 ... > > Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that. > ------------------------------------------------------------------------------------------------------------------ > #Tables > table <abusive_ips> persist file "/etc/pf.abusive_ips.block.list" > table <brute> persist > > # Rules > > block quick from <abusive_ips> > block quick from <brute> > > > # Limit connections per IP > > pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state > (max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush) > pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state > (max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush) > pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state > (max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush) > -------------------------------------------------------------------------------------------------------------------- > > The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the <brute> table. > > Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15? - which FreeBSD version is this 6.x 7.x/8.x? - avoid the quick keyword in the rules with overload - pf can preload IP's from file specified in "table <tablename> ... file "/filename" but does not write IP's into the file. I use the script below to do this on a OpenBSD machine. - rewrite your rule and avoid the any keyword pass in on { $ext_if, $int_if, $mng_if } inet proto tcp \ from !<brute> to xx.xx.xx.xx port ssh flags S/SA keep state \ (max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush) hint: - look for the additional keyword global (flush global) - If the IP in your rule is your base IP on $ext_if write it with as $ext_if:0 this script writes IP's from the bf_* tables into a file so you can preload them next time pf rules are installed or the machine reboots. additional it can send you a mail with IP's added to the table and if GeoIP is installed you get the GeoIP info. With a little modification of the script/rules It will work for you #!/bin/sh ################################################################## # $Source: RCS/pftable_to_file.sh,v $ # OS: OpenBSD # # olli hauer # ################################################################## # sample rule for pf # --------------------------- # block in log quick proto { tcp, udp } from <bf_ssh> \ # to any port ssh label BRUTFORCE-SSH # table for overload connections # # pass in log on $if_ext inet proto tcp from ! <bf_ssh> to $if_ext \ # port = ssh flags S/SA keep state \ # (source-track rule, max-src-conn 10, \ # max-src-conn-rate 3/90, overload <bf_ssh> \ # flush global, if-bound, src.track 90) \ # label "SSH" umask 077 PF_TABLES="bf_mail bf_ssh bf_web" OUTDIR="/etc/pf" GEOIP=/usr/local/bin/geoiplookup # hold the output from pfctl -tx -Ts TMP_PFCTL=`mktemp /tmp/.tmp_pf_table.XXXXXXXXXX` || exit 1 # hold the diff between old and new TMP_DIFF=`mktemp /tmp/.tmp_diff.XXXXXXXXXX` || exit 1 trap 'rm -f ${TMP_PFCTL} ${TMP_DIFF}' 0 1 2 3 13 15 [ -d ${OUTDIR} ] || mkdir -p ${OUTDIR} for TABLE in ${PF_TABLES}; do # make sure the output file exists [ -f ${OUTDIR}/${TABLE} ] || /usr/bin/touch ${OUTDIR}/${TABLE} # extraxt IP's from table /sbin/pfctl -t${TABLE} -Ts | awk '{print $1}' > ${TMP_PFCTL} # we need only the '+diff' to grep for this later /usr/bin/diff -bu ${OUTDIR}/${TABLE} ${TMP_PFCTL} > ${TMP_DIFF} RETVAL=$? case ${RETVAL} in 0) continue ;; 1) # save the old file if [ -f ${OUTDIR}/${TABLE} ]; then cp ${OUTDIR}/${TABLE} ${OUTDIR}/${TABLE}.old fi # mail message header date echo "change in table: ${TABLE}" echo "------------------------------------" # lookup the IP in the GeoIP database if [ -x ${GEOIP} ]; then for IP in `egrep "^\+[0-9]" ${TMP_DIFF} | tr -d \+`; do # print the IP wo. linefeed printf "%-20s # " ${IP} # strip netmask if we add NET by hand IPT=`echo ${IP} | sed 's/\/[[:digit:]]*//g'` # make a short GeoIP output ${GEOIP} ${IPT} | sed 's/ Country Edition//g' done else egrep "^\+[0-9]" ${TMP_DIFF} | tr -d \+ fi mv ${TMP_PFCTL} ${OUTDIR}/${TABLE} ;; *) echo "error in diff" ;; esac done small snippet from my bf_ssh file (places with IP rangees I don't visit in near time) snippet from file:/etc/pf/bf_ssh 12.0.0.0/8 21.0.0.0/8 24.0.0.0/8 25.0.0.0/8 26.0.0.0/8 28.0.0.0/8 29.0.0.0/8 30.0.0.0/8 32.0.0.0/8 33.0.0.0/8 38.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 61.0.0.0/8 62.0.0.0/8 63.0.0.0/8 64.0.0.0/8 ... 216.0.0.0/8 217.0.0.0/8 218.0.0.0/8 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B1BAF1D.9070105>