Hi All,
I am seeing ssh authentication attempts on my lo0 interface (127.0.0.1). I have
antispoofing configured. Unfortunately due to unchangeable circumstances, SSH
(TCP/50022) is exposed.
Any idea if my antispoofing configuration is incorrect? Or any other
suggestions to mitigate SSH connections from lo0?
Please note - SSH is configured to listen on TCP/50022. Not TCP/5273, so i have
no idea how or why SSH is responding on TCP/5273.
Regards
dirk
###############################################################################
### Logs ###
### /var/log/authlog ###
Nov 3 21:27:46 server-1 sshd-session[46091]: Connection from 127.0.0.1 port
48186 on 127.0.0.1 port 50022 rdomain "0"
Nov 3 21:27:46 server-1 sshd-session[46091]: User root from 127.0.0.1 not
allowed because a group is listed in DenyGroups
Nov 3 21:27:48 server-1 sshd-session[46091]: Connection closed by invalid user
root 127.0.0.1 port 48186 [preauth]
Nov 3 21:27:48 server-1 sshd[30737]: srclimit_penalise: ipv4: new 127.0.0.1/32
deferred penalty of 30 seconds for penalty: failed authentication
Nov 3 21:33:19 server-1 sshd-session[42309]: Connection from 127.0.0.1 port
5273 on 127.0.0.1 port 50022 rdomain "0"
Nov 3 21:33:19 server-1 sshd-session[42309]: User root from 127.0.0.1 not
allowed because a group is listed in DenyGroups
Nov 3 21:33:23 server-1 sshd-session[42309]: Connection closed by invalid user
root 127.0.0.1 port 5273 [preauth]
Nov 3 21:33:23 server-1 sshd[30737]: srclimit_penalise: ipv4: new 127.0.0.1/32
deferred penalty of 30 seconds for penalty: failed authentication
###############################################################################
### /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# ---=== Global Config ====----
set skip on lo
set block-policy drop
set syncookies adaptive (start 33%, end 12%)
set reassemble yes no-df
set ruleset-optimization none
set optimization aggressive
set limit { states 20000, frags 20000, src-nodes 5000, table-entries 2000000 }
match in all scrub (no-df random-id max-mss 1440)
# ---=== Macros ===---
ports_dns = "{ 53, 853 }"
icmp_useful = "{ echoreq, unreach, timex, timereq }"
icmp6_useful = "{ echoreq, unreach, timex, routersol, neighbrsol, routeradv,
neighbradv }"
ip_ext1 = "{ vio0:0 }"
# ---=== Tables ===---
table <bruteforce> persist
table <sshguard> persist
table <sshd_block> persist file "/etc/pf.files/table_sshd_block.txt"
table <script1_block> persist file "/etc/pf.files/script1_block.txt"
table <geoblock> persist file "/etc/pf.files/zones/pf.geoblock.master"
table <githubblkdips> persist file "/etc/pf.files/github_blkd_ips.txt"
table <martians> persist file "/etc/pf.files/martians.txt"
table <snortips> persist file "/etc/pf.files/snortips.txt"
table <wwlogpf> persist file "/etc/pf.files/wwwintrusions.txt"
# ---=== Block: IPv6 rules ===---
block in quick log on egress inet6 from any to self label "Rule:$nr on $if.
Block IPv6 Inbound."
block out quick log on egress inet6 from self to any label "Rule:$nr on $if.
Block IPv6 Outbound."
# ---=== AntiSpoof rules ===--
antispoof log quick for { lo0, vio0, wg0, tun0 } label "Rule:$nr $if $proto
$dstaddr $dstport. Antispoof rule."
block quick log on lo0 inet proto tcp from any to self port {
22,80,443,50022 } label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure."
block quick log on lo0 inet proto udp from any to self port 51820
label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure."
block quick log on lo0 inet6 proto tcp from any to self port {
22,80,443,50022 } label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure."
block quick log on lo0 inet6 proto udp from any to self port 51820
label "Rule:$nr $if $proto $dstaddr $dstport. URPF Failure."
block quick log from urpf-failed label
"Rule:$nr $if $proto $dstaddr $dstport. URPF Failure."
block quick log inet proto tcp from any port <1024 to self port
{80,443,50022} label "Rule:$nr $if $proto $dstaddr $dstport. Reflection Attack"
block quick log inet proto udp from any port <1024 to self port
51820 label "Rule:$nr $if $proto $dstaddr $dstport. Reflection Attack"
# ---=== Block: Martians ===---
block in quick log on egress inet from <martians> to self
label "Rule:$nr on $if. Block Martians Inbound."
block out quick log on egress inet from self to <martians>
label "Rule:$nr on $if. Block Martians Outbound."
# ---=== Default OpenBSD Rules ===---
block return in on ! lo0 proto tcp to port 6000:6010 label "Rule:$nr on $if.
Default OpenBSD rule - X11"
block return out log proto {tcp udp} user _pbuild label "Rule:$nr on $if.
Default OpenBSD rule - pbuild"
# ---=== Block: SSH Guard ===---
block in quick log on egress from <sshguard> to self label
"Rule:$nr on $if. SSH Guard Inbound."
block out quick log on egress from self to <sshguard> label
"Rule:$nr on $if. SSH Guard Outbound."
block in quick log on egress from <sshd_block> to self label
"Rule:$nr on $if. SSH Block Script Inbound."
block out quick log on egress from self to <sshd_block> label
"Rule:$nr on $if. SSH Block Script Outbound."
# ---=== Geo Fencing ===---
block in quick log from <geoblock> to self label
"Rule:$nr on $if. GeoBlock Inbound."
block return out quick log from self to <geoblock> label
"Rule:$nr on $if. GeoBlock Outbound."
# ---=== Block: Snort Intrusion Prevention ===---
block in quick log on egress from <snortips> to self label
"Rule:$nr on $if. Snort IPS Block Inbound."
block out quick log on egress from self to <snortips> label
"Rule:$nr on $if. Snort IPS Block Outbound."
# ---=== Block: WWW log file parsed offenders ===---
block in quick log on egress from <wwlogpf> to self label
"Rule:$nr on $if. WWW offenders Inbound."
block out quick log on egress from self to <wwlogpf> label
"Rule:$nr on $if. WWW offenders Outbound."
# ---=== Block: Scripted Block Lists ===---
block in quick log on egress from <script1_block> to self label
"Rule:$nr on $if. Bad IPs Block List Inbound."
block out quick log on egress from self to <script1_block> label
"Rule:$nr on $if. Bad IPs Block List Outbound."
block in quick log on egress from <githubblkdips> to self label
"Rule:$nr on $if. GitHub Repo Banned IPs Inbound."
block out quick log on egress from self to <githubblkdips> label
"Rule:$nr on $if. GitHub Repo Banned IPs Outbound."
# ---=== Block: Bruteforce Protection ===---
block in quick log on egress from <bruteforce> to self label
"Rule:$nr on $if. Bruteforcers Inbound."
block out quick log on egress from self to <bruteforce> label
"Rule:$nr on $if. Bruteforcers Outbound."
# ---=== Inbound Access: SSH Allow and Source Track ===---
pass in quick log on egress inet proto tcp from any port >1023 to $ip_ext1
port = 50022 flags S/SA synproxy state (source-track rule, max-src-conn 3,
max-src-conn-rate 3/10, overload <bruteforce> flush global, src.track 600)
label "Rule:$nr on $if interface. Inbound SSH."
# ---=== Inbound Access: HTTP/S ===---
pass in quick log on egress inet proto tcp from any port >1023 to $ip_ext1
port = 80 flags S/SA synproxy state (source-track rule, max-src-conn 64,
max-src-conn-rate 64/300, overload <bruteforce> flush global, src.track 3600)
label "Rule:$nr on $if interface Inbound HTTP."
pass in quick log on egress inet proto tcp from any port >1023 to $ip_ext1
port = 443 flags S/SA synproxy state (source-track rule, max-src-conn 64,
max-src-conn-rate 64/300, overload <bruteforce> flush global, src.track 3600)
label "Rule:$nr on $if interface Inbound HTTPS."
# ---=== Inbound Access: Wireguard ===---
pass in quick log on egress inet proto udp from any port >1023 to
$ip_ext1 port = 51820 keep state (source-track rule, max-src-conn 30, overload
<bruteforce> flush global, src.track 3600) label "Rule:$nr on $if interface.
Inbound Wireguard VPN."
pass in quick log on wg0 inet proto tcp from wg0:network port >1023 to
wg0:0 port = 50022 label "Rule:$nr on $if interface. Inbound WG SSH."
pass in quick log on wg0 inet proto icmp from wg0:network to
$ip_ext1 label "Rule:$nr on $if interface. Inbound WG ICMP."
block in quick log on egress inet proto udp from any to
self port = 51820 label "Rule:$nr on $if interface. Inbound Wireguard VPN."
# ---=== User Oubound Rules: dhcp ===---
pass out quick log inet proto udp from self port {67,68}
to 255.255.255.255 port {67,68} user _dhcp label "$nr: Allow DHCP service on
ports 67 68"
block out quick log inet proto {tcp udp} from self
to any group _dhcp label "$nr: Block DHCP service"
# ---=== Outbound Access: NTP ===---
pass out quick log inet proto udp from self port >1023 to any port 123 user
_ntp set tos ef label "Rule:$nr on $if interface. NTP Outbound."
pass out quick log inet6 proto udp from self port >1023 to any port 123 user
_ntp label "Rule:$nr on $if interface. NTP Outbound."
pass out quick log inet proto tcp from self port >1023 to any port 443 user
_ntp label "Rule:$nr on $if interface. NTP Outbound."
pass out quick log inet6 proto tcp from self port >1023 to any port 443 user
_ntp label "Rule:$nr on $if interface. NTP Outbound."
block out quick log inet proto { tcp udp } from self group _ntp
label "Rule:$nr on $if interface. Block NTP Out."
block out quick log inet6 proto { tcp udp } from self group _ntp
label "Rule:$nr on $if interface. Block NTP Out."
# ---=== Outbound Access: UnWind ===---
pass out quick log inet proto { tcp udp } from self to any port $ports_dns
group _unwind label "Rule:$nr on $if interface. Unwind Outbound ipv4"
pass out quick log inet6 proto { tcp udp } from self to any port $ports_dns
group _unwind label "Rule:$nr on $if interface. Unwind Outbound ipv6"
pass out quick log inet proto tcp from self to any port 443
group _unwind label "Rule:$nr on $if interface. Unwind HTTP Check"
pass out quick log inet6 proto tcp from self to any port 443
group _unwind label "Rule:$nr on $if interface. Unwind HTTP Check"
block out quick log inet proto { tcp udp } from self to any port $ports_dns
group _unwind label "Rule:$nr on $if interface. Block any service DNS Out4"
block out quick log inet6 proto { tcp udp } from self to any port $ports_dns
group _unwind label "Rule:$nr on $if interface. Block any service DNS Out6"
block out quick log inet proto { tcp udp } from self
group _unwind label "Rule:$nr on $if interface. Unwind Service Cleanup Rule,"
block out quick log inet6 proto { tcp udp } from self
group _unwind label "Rule:$nr on $if interface. Unwind Service Cleanup Rule,"
# ---=== Outbound Access: DHCPD ===---
pass out quick log inet proto { tcp udp } from self to any port 67:68 group
_dhcp label "Rule:$nr on $if interface. DHCPD."
pass out quick log inet6 proto { tcp udp } from self to any port 67:68 group
_dhcp label "Rule:$nr on $if interface. DHCPD."
block out quick log inet proto { tcp udp } from self group
_dhcp label "Rule:$nr on $if interface. DHCPD."
block out quick log inet6 proto { tcp udp } from self group
_dhcp label "Rule:$nr on $if interface. DHCPD."
# ---=== Outbound Access: from pkgfetch ===---
pass out quick log inet proto { tcp } from self port >1023 to any port 443
user _pkgfetch label "Rule:$nr on $if interface. Pkg Outbound"
pass out quick log inet6 proto { tcp } from self port >1023 to any port 443
user _pkgfetch label "Rule:$nr on $if interface. Pkg Outbound"
block out quick log inet proto { tcp udp } from self to any group _pkgfetch
label "Rule:$nr on $if interface. Block Pkg."
block out quick log inet6 proto { tcp udp } from self to any group _pkgfetch
label "Rule:$nr on $if interface. Block Pkg."
# ---=== Outbound Access: from syspatch ===---
pass out quick log inet proto { tcp } from self port >1023 to any port 443
user _syspatch label "Rule:$nr on $if interface. Syspatch Outbound."
pass out quick log inet6 proto { tcp } from self port >1023 to any port 443
user _syspatch label "Rule:$nr on $if interface. Syspatch Outbound."
block out quick log inet proto { tcp udp } from self to any group _syspatch
label "Rule:$nr on $if interface. Block Syspatch"
block out quick log inet6 proto { tcp udp } from self to any group _syspatch
label "Rule:$nr on $if interface. Block Syspatch"
# ---=== Outbound Access: from freshclam ===---
## pass out quick log inet proto { tcp } from self port >1023 to any port 53
user _clamav label "Rule:$nr on $if interface. Freshclam DNS Out."
## pass out quick log inet6 proto { tcp } from self port >1023 to any port 53
user _clamav label "Rule:$nr on $if interface. Freshclam DNS Out."
pass out quick log inet proto { tcp } from self port >1023 to any port 443
user _clamav label "Rule:$nr on $if interface. Freshclam HTTP Out."
pass out quick log inet6 proto { tcp } from self port >1023 to any port 443
user _clamav label "Rule:$nr on $if interface. Freshclam HTTP Out."
block out quick log inet proto { tcp udp } from self to any group _clamav
label "Rule:$nr on $if interface. Block Freshclam."
block out quick log inet6 proto { tcp udp } from self to any group _clamav
label "Rule:$nr on $if interface. Block Freshclam."
# ---=== Outbound Access: from root ===---
pass out quick log inet proto { tcp } from self port >1023 to any port 80
user root label "Rule:$nr on $if interface. Root HTTP Out."
pass out quick log inet6 proto { tcp } from self port >1023 to any port 80
user root label "Rule:$nr on $if interface. Root HTTP Out."
pass out quick log inet proto { tcp } from self port >1023 to any port 443
user root label "Rule:$nr on $if interface. Root HTTPS Out."
pass out quick log inet6 proto { tcp } from self port >1023 to any port 443
user root label "Rule:$nr on $if interface. Root HTTPS Out."
block out quick log inet proto { tcp udp } from self to any user root label
"Rule:$nr on $if interface. Block root out."
block out quick log inet6 proto { tcp udp } from self to any user root label
"Rule:$nr on $if interface. Block root out."
block out quick log inet proto { tcp udp } from self to any group wheel label
"Rule:$nr on $if interface. Block wheel out."
block out quick log inet6 proto { tcp udp } from self to any group wheel label
"Rule:$nr on $if interface. Block wheel out."
# ---=== Outbound Access: from dirk ===---
pass out quick log inet proto { tcp } from self port >1023 to any port 22
user dirk label "Rule:$nr on $if interface. Dirk SSH Out."
pass out quick log inet6 proto { tcp } from self port >1023 to any port 22
user dirk label "Rule:$nr on $if interface. Dirk SSH Out."
pass out quick log inet proto { tcp } from self port >1023 to any port 43
user dirk label "Rule:$nr on $if interface. Dirk Whois Out."
pass out quick log inet6 proto { tcp } from self port >1023 to any port 43
user dirk label "Rule:$nr on $if interface. Dirk Whois Out."
pass out quick log inet proto { tcp } from self port >1023 to any port 80
user dirk label "Rule:$nr on $if interface. Dirk HTTP Out."
pass out quick log inet6 proto { tcp } from self port >1023 to any port 80
user dirk label "Rule:$nr on $if interface. Dirk HTTP Out."
pass out quick log inet proto { tcp } from self port >1023 to any port 443
user dirk label "Rule:$nr on $if interface. Dirk HTTPS Out."
pass out quick log inet6 proto { tcp } from self port >1023 to any port 443
user dirk label "Rule:$nr on $if interface. Dirk HTTPS Out."
block out quick log inet proto { tcp udp } from self to any group dirk label
"Rule:$nr on $if interface. Block Dirk."
block out quick log inet6 proto { tcp udp } from self to any group dirk label
"Rule:$nr on $if interface. Block Dirk."
# ---=== ICMP Outbound Rules ===---
pass out quick log inet proto icmp from self to any icmp-type $icmp_useful
label "Rule:$nr on $if interface. ICMP Outbound."
pass out quick log inet6 proto icmp6 from self to any icmp6-type
$icmp6_useful label "Rule:$nr on $if interface. ICMP6 Outbound."
block out quick log inet proto icmp from self to any
label "Rule:$nr on $if interface. ICMP Outbound."
block out quick log inet6 proto icmp6 from self to any
label "Rule:$nr on $if interface. ICMP6 Outbound."
# ---=== ICMP Inbound Rules ===---
pass in quick log inet proto icmp from any to self icmp-type 8 code 0 keep
state label "Rule:$nr on $if interface. ICMP Inbound."
block in quick log inet proto icmp from any to self
label "Rule:$nr on $if interface. ICMP Inbound."
block in quick log inet6 proto icmp6 from any to self
label "Rule:$nr on $if interface. ICMP6 Inbound."
# ---=== Block Reverse Path Verify Fail ===---
block in quick log inet from urpf-failed label "Rule:$nr on $if
interface. Block reverse patch verify failures."
block in quick log inet6 from urpf-failed label "Rule:$nr on $if
interface. Block reverse patch verify failures."
block in quick log inet from no-route to any label "Rule:$nr on $if
interface. Block non routable traffic."
block in quick log inet6 from no-route to any label "Rule:$nr on $if
interface. Block non routable traffic."
# ---=== Cleanup Rules ===---
block in quick log inet6 from any label "Rule:$nr on $if interface - Cleanup
IPv6 *in* Rule."
block in quick log inet6 to any label "Rule:$nr on $if interface - Cleanup
IPv6 *in* Rule."
block out quick log inet6 from any label "Rule:$nr on $if interface - Cleanup
IPv6 *out* Rule."
block out quick log inet6 to any label "Rule:$nr on $if interface - Cleanup
IPv6 *out* Rule."
block in quick log inet from any label "Rule:$nr on $if interface - Cleanup
IPv4 *in* Rule."
block in quick log inet to any label "Rule:$nr on $if interface - Cleanup
IPv4 *in* Rule."
block out quick log inet from any label "Rule:$nr on $if interface - Cleanup
IPv4 *out* Rule."
block out quick log inet to any label "Rule:$nr on $if interface - Cleanup
IPv4 *out* Rule."
block quick log all label "Rule:$nr on $if interface - Last
match Cleanup Rule."
block log label "Rule:$nr on $if interface - Stateless
Cleanup Rule."
