From owner-freebsd-stable@FreeBSD.ORG  Fri Jun 15 16:55:37 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C10DB1065670
	for <freebsd-stable@freebsd.org>; Fri, 15 Jun 2012 16:55:37 +0000 (UTC)
	(envelope-from prabhpal@digital-infotech.net)
Received: from mail.digital-infotech.net (mail.digital-infotech.net
	[41.211.25.193])
	by mx1.freebsd.org (Postfix) with ESMTP id 2801A8FC18
	for <freebsd-stable@freebsd.org>; Fri, 15 Jun 2012 16:55:37 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mail.digital-infotech.net (Postfix) with ESMTP id 205422E404A;
	Fri, 15 Jun 2012 16:55:36 +0000 (GMT)
Received: from mail.digital-infotech.net ([127.0.0.1])
	by localhost (mail.digital-infotech.net [127.0.0.1]) (maiad, port 10024)
	with ESMTP id 01595-09; Fri, 15 Jun 2012 16:55:36 +0000 (GMT)
Received: from mail.digital-infotech.net (localhost [127.0.0.1])
	by mail.digital-infotech.net (Postfix) with ESMTP id F25E52E4017;
	Fri, 15 Jun 2012 16:55:35 +0000 (GMT)
X-DKIM: OpenDKIM Filter v2.5.0 mail.digital-infotech.net F25E52E4017
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=digital-infotech.net; s=digital; t=1339779336;
	bh=VdpT+QluKEhRTEbBiJuwX4caaTqBJOgvZoSUnpBxLVo=;
	h=In-Reply-To:References:Date:Subject:From:To:Cc:Reply-To;
	b=mxXmAROxl5B6LAYIvt24+nV7KMp/NIgBSrVCBg1sslUY0o/Na/eW8ODy2zSshKRSa
	j5f2M6GEfo89lr/GYDxW7UXpMfiiotJ1GLDEQRKbV/XXQI34S2umwPSG1Q9/yeovGi
	SB6IPEKaN+Y9RRz0YgdJDnZpNa9SuUbHz6U9NftI=
Received: from 41.211.25.192
	(SquirrelMail authenticated user prabhpal@digital-infotech.net)
	by mail.digital-infotech.net with HTTP;
	Fri, 15 Jun 2012 16:55:36 -0000
Message-ID: <98c09d7edf95e0e07910e7e5ce46accc.squirrel@mail.digital-infotech.net>
In-Reply-To: <4FDB6490.8080509@infracaninophile.co.uk>
References: <4360846ab93b3a2b1968ee0f262cf148.squirrel@mail.digital-infotech.net>
	<4FDB6490.8080509@infracaninophile.co.uk>
Date: Fri, 15 Jun 2012 16:55:36 -0000
From: "Shiv. Nath" <prabhpal@digital-infotech.net>
To: "Matthew Seaman" <m.seaman@infracaninophile.co.uk>
User-Agent: SquirrelMail/1.4.22
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: freebsd-stable@freebsd.org
Subject: Re: PF to Preventing SMTP Brute Force Attacks
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: prabhpal@digital-infotech.net
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2012 16:55:37 -0000


> Limiting yourself to 200 states won't protect you very much -- you tend
> to get a whole series of attacks from the same IP, and that just uses
> one state at a time.
>
> Instead, look at the frequency with which an attacker tries to connect
> to you.  Something like this:
>
> table <bruteforce> persist
>
> [...]
>
> block in log quick from <bruteforce>
>
> [...]
>
> pass in on $ext_if proto tcp                     \
>      from any to $ext_if port $trusted_tcp_ports \
>      flags S/SA keep state                       \
>      (max-src-conn-rate 3/300, overload <bruteforce> flush global)
>
> Plus you'll need a cron job like this to clean up the bruteforce table,
> otherwise it will just grow larger and larger:
>
> */12 * * * *	/sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null
> 2>&1
>
> The end result of this is that if one IP tries to connect to you more
> than 3 times in 5 minutes, they will get blacklisted.  I normally use
> this just for ssh, so you might want to adjust the parameters
> appropriately.  You should also implement a whitelist for IP ranges you
> control or use frequently and that will never be used for bruteforce
> attacks: it is quite easy to block yourself out with these sort of rules.
>
> 	Cheers,
>
> 	Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                   Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
> JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


Dear Mattthew,

Grateful for sending me in right direction, solution really sounds well.
Does it look good configuration for "/etc/pf.conf" ?

# START
table bruteforce persist
block in log quick from bruteforce

pass in on $ext_if proto tcp \
from any to $ext_if port $trusted_tcp_ports \
flags S/SA keep state \
(max-src-conn-rate 3/300, overload bruteforce flush global)

# END

AND CRON:
*/12 * * * *	/sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null
2>&1

What is the function "expire 604800" are they entries in the table?
should it be -t bruteforce or -t ssh-bruteforce

Thanks