Date: Fri, 5 Mar 2010 10:35:07 -0600 From: John <john@starfire.mn.org> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: John <john@starfire.mn.org>, mikel king <mikel.king@olivent.com>, Programmer In Training <pit@joseph-a-nagy-jr.us>, freebsd-questions@freebsd.org Subject: pf overload for SMTP (was: Thousands of ssh probes) Message-ID: <20100305163507.GA18338@elwood.starfire.mn.org> In-Reply-To: <4B912ADC.1040802@infracaninophile.co.uk> References: <20100305125446.GA14774@elwood.starfire.mn.org> <4B910139.1080908@joseph-a-nagy-jr.us> <20100305132604.GC14774@elwood.starfire.mn.org> <F4960422-5F59-4FF4-A2E4-1F0A4772B78B@olivent.com> <20100305154439.GA17456@elwood.starfire.mn.org> <4B912ADC.1040802@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 05, 2010 at 04:01:32PM +0000, Matthew Seaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/03/2010 15:44:39, John wrote: > > Maybe I'll have to learn how to do a VPN from FreeBSD.... > > > > One thought that occurs to me is that pf tables would provide a > > direct API without having to hit a database. > > > > I think I really like this. I may have to implement it for pf. > > It should be really easy with CGI and calls to pfctl. > > There's already a mechanism whereby you can connect into a PF firewall > and have it open up extra access for you, all controlled by ssh keys. > > See: http://www.openbsd.org/faq/pf/authpf.html > > Not only that, but you can dynamically block brute force attempts to > crack SSH passwords using just PF -- no need to scan through auth.log or > use an external database. You need something like this in pf.conf: > > table <ssh-bruteforce> persist > > [...near the top of the rules section...] > block drop in log quick on $ext_if from <ssh-bruteforce> > > [...later in the rules section...] > pass in on $ext_if proto tcp \ > from any to $ext_if port ssh \ > flags S/SA keep state \ > (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global) > > This adds IPs to the ssh-bruteforce table if there are too frequent > attempts to connect from them (more than 3 within 30 seconds in this > case) and so blocks all further access. > > You need to run a cron job to clear out old entries from the > ssh-bruteforce table or it will grow continually over time: > > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 86400 >/dev/null 2>&1 > > Cheers, > > Matthew Is there any reason one couldn't do something similar for SMTP? Maybe a little wider sample window, like 10/300? Or would you end up blocking too any things that you don't mean to block? Anyone played with this for SMTP? -- John Lind john@starfire.MN.ORG The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries. - Winston Churchill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100305163507.GA18338>