On 15/06/2012 17:55, Shiv. Nath wrote: > >> Limiting yourself to 200 states won't protect you very much -- you tend >> to get a whole series of attacks from the same IP, and that just uses >> one state at a time. >> >> Instead, look at the frequency with which an attacker tries to connect >> to you. Something like this: >> >> table <bruteforce> persist >> >> [...] >> >> block in log quick from <bruteforce> >> >> [...] >> >> pass in on $ext_if proto tcp \ >> from any to $ext_if port $trusted_tcp_ports \ >> flags S/SA keep state \ >> (max-src-conn-rate 3/300, overload <bruteforce> flush global) >> >> Plus you'll need a cron job like this to clean up the bruteforce table, >> otherwise it will just grow larger and larger: >> >> */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null >> 2>&1 >> >> The end result of this is that if one IP tries to connect to you more >> than 3 times in 5 minutes, they will get blacklisted. I normally use >> this just for ssh, so you might want to adjust the parameters >> appropriately. You should also implement a whitelist for IP ranges you >> control or use frequently and that will never be used for bruteforce >> attacks: it is quite easy to block yourself out with these sort of rules. >> >> Cheers, >> >> Matthew >> >> -- >> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard >> Flat 3 >> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate >> JID: matt...@infracaninophile.co.uk Kent, CT11 9PW > > > Dear Mattthew, > > Grateful for sending me in right direction, solution really sounds well. > Does it look good configuration for "/etc/pf.conf" ? > > # START > table bruteforce persist
Watch the syntax -- it's table <bruteforce> persist with angle brackets. > block in log quick from bruteforce > > pass in on $ext_if proto tcp \ > from any to $ext_if port $trusted_tcp_ports \ > flags S/SA keep state \ > (max-src-conn-rate 3/300, overload bruteforce flush global) Again -- you need angle brackets around the table name. > > # END > > AND CRON: > */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null > 2>&1 > > What is the function "expire 604800" are they entries in the table? > should it be -t bruteforce or -t ssh-bruteforce Ooops. Yes, -t bruteforce is correct. "expire 604800" means delete entries after they've been in the table for that number of seconds (ie after one week) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature