pf overload for SMTP (was: Thousands of ssh probes)
On Fri, Mar 05, 2010 at 04:01:32PM +, Matthew Seaman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/03/2010 15:44:39, John wrote: Maybe I'll have to learn how to do a VPN from FreeBSD One thought that occurs to me is that pf tables would provide a direct API without having to hit a database. I think I really like this. I may have to implement it for pf. It should be really easy with CGI and calls to pfctl. There's already a mechanism whereby you can connect into a PF firewall and have it open up extra access for you, all controlled by ssh keys. See: http://www.openbsd.org/faq/pf/authpf.html Not only that, but you can dynamically block brute force attempts to crack SSH passwords using just PF -- no need to scan through auth.log or use an external database. You need something like this in pf.conf: table ssh-bruteforce persist [...near the top of the rules section...] block drop in log quick on $ext_if from ssh-bruteforce [...later in the rules section...] pass in on $ext_if proto tcp \ from any to $ext_if port ssh \ flags S/SA keep state\ (max-src-conn-rate 3/30, overload ssh-bruteforce flush global) This adds IPs to the ssh-bruteforce table if there are too frequent attempts to connect from them (more than 3 within 30 seconds in this case) and so blocks all further access. You need to run a cron job to clear out old entries from the ssh-bruteforce table or it will grow continually over time: */12 * * * * /sbin/pfctl -t ssh-bruteforce -T expire 86400 /dev/null 21 Cheers, Matthew Is there any reason one couldn't do something similar for SMTP? Maybe a little wider sample window, like 10/300? Or would you end up blocking too any things that you don't mean to block? Anyone played with this for SMTP? -- John Lind j...@starfire.mn.org The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries. - Winston Churchill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pf overload for SMTP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/03/2010 16:35:07, John wrote: Is there any reason one couldn't do something similar for SMTP? Maybe a little wider sample window, like 10/300? Or would you end up blocking too any things that you don't mean to block? Anyone played with this for SMTP? You can do this with SMTP, but I'm not sure quite how useful it would be given the different usage patterns for e-mail. (I've applied it quite happly for FTP servers, for example) If you want to do some pf-level antispam stuff, then look at spamd -- in the ports as obspamd to prevent confusion with SpamAssassin's spamd. http://www.openbsd.org/cgi-bin/man.cgi?query=spamdapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html This implements greylisting, greytrapping and teergrube against addresses blacklisted as spam sources. Last I checked it only worked on IPv4 though. It's a fairly light-weight means of eliminating quite a lot of spam, but it should be used in conjunction with other MTA mediated anti-spam techniques, for example SpamAssassin Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuRNOEACgkQ8Mjk52CukIzcGACePJLeg/yorVq8vpVA6Nr7WBbI FksAn0hkNVrOo/m9o5gClh7J7zGoWdvU =JW5l -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org