Re: Can SSH report successful connections to pf?
>At the end of a "pass" rule in pf.conf, the author adds: > > max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload flush global > >which means: > > "any source can only have a total of three connections, > and they may not create them at a rate faster than two > every five minutes. If they do, they will be added to the > abusers table and every packet/session will be globally > dropped." > >I locked myself out of many boxes thanks to that. As Peter pointed out it is best to set timeout/expiry date for IPs in blocklist. One can also create whitelist for you own IPs. Personally I had checked IP my ISP gave me, then checked by online services what AS number and CIDR this IP is contained in. Then added to whitelist table. It creates some hole in firewall, but proactive firewall based on blocklists in itself isn't strong protection. It is mostly useful for performance reasons.
Re: Can SSH report successful connections to pf?
Cool! On Sat, May 5, 2018 at 3:17 AM Andreas Kusalananda Kähäri < andreas.kah...@icm.uu.se> wrote: > On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote: > > > > You might want to parse /var/log/authlog and the logrotated > authlog.[0-9].gz > > for successful and unsuccessful logins and then add the unsuccessful > logins > > with pfctl to a blocked table. To have it permanent after a reboot you > can write > > with pfctl the blocked ip's to a file, which you re-read in a pf.conf > ruleset. > > > > Like > > table persist file "/etc/pf.bruteforce" > > block in quick proto tcp from to any > > > > Stefan > > This is *exactly* what sshguard does. I have an updated > security/sshguard port (previously posted to the ports list) that > understands our sshd's log output, but it has not yet been comitted. > There is currently some kind of issue with it preventing it from > starting at boot (but always starts with "rcctl start sshguard"). I > haven't looked too deeply at that yet though. > > Regards, > > > -- > Andreas Kusalananda Kähäri, > National Bioinformatics Infrastructure Sweden (NBIS), > Uppsala University, Sweden. >
Re: Can SSH report successful connections to pf?
On 05/05/18 01:56, Kapfhammer, Stefan wrote: > > You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz > for successful and unsuccessful logins and then add the unsuccessful logins > with pfctl to a blocked table. To have it permanent after a reboot you can > write > with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset. > > Like > table persist file "/etc/pf.bruteforce" > block in quick proto tcp from to any The problem here is what logon attempt frequency and which number of simultaneous connections you set as acceptable. You *will* at some point end up blocking yourself based on those criteria, even more certainly so if you're chasing the relatively slow attackers, and if you allow password logins at all, valid users will occasionally mistype their passwords. For those reasons, I ended up with a regime that block drops according to something like # --- table persist counters file "/var/tmp/bruteforce" block drop log (all) quick from label bruteforce pass in quick log (all) on egress proto tcp to port ssh flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 2/10, overload flush global, pflow) and just because I can, 28 day expiry, and a cron job that dumps table contents to file at reasonable intervals. The bruteforce table is never empty, and the bulk of the miscreants will will be caught this way. After trying various fully automatic variants that all bit back in various ways, I ended up determining that scanning the logs manually when I have time (typically once or twice per day) was sufficient to catch the rest. Then I add to the bruteforce table and harvest local parts for the spamtraps. Some of my scribbles on this can be found at https://bsdly.blogspot.no/2017/04/forcing-password-gropers-through.html and http://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-lessons-learned.html (with references) - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Can SSH report successful connections to pf?
On 2018-05-04, Kapfhammer, Stefan wrote: > > You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz This wheel has been invented several times, if someone wants to make their own they should study revisions to past designs as there have been some nasty problems fixed along the way. Rather than parsing authlog from disk, it's better to have syslogd pipe to a command instead.
Re: Can SSH report successful connections to pf?
On 04/05/18 23:16, Luke Small wrote: Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better? See this paper, that might contain what you're trying to achieve: https://www.sans.org/reading-room/whitepapers/firewalls/cleaning-yard-discussion-mothers-home-network-security-32933 At the end of a "pass" rule in pf.conf, the author adds: max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload flush global which means: "any source can only have a total of three connections, and they may not create them at a rate faster than two every five minutes. If they do, they will be added to the abusers table and every packet/session will be globally dropped." I locked myself out of many boxes thanks to that. -- Étienne
Re: Can SSH report successful connections to pf?
On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote: > > You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz > for successful and unsuccessful logins and then add the unsuccessful logins > with pfctl to a blocked table. To have it permanent after a reboot you can > write > with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset. > > Like > table persist file "/etc/pf.bruteforce" > block in quick proto tcp from to any > > Stefan This is *exactly* what sshguard does. I have an updated security/sshguard port (previously posted to the ports list) that understands our sshd's log output, but it has not yet been comitted. There is currently some kind of issue with it preventing it from starting at boot (but always starts with "rcctl start sshguard"). I haven't looked too deeply at that yet though. Regards, -- Andreas Kusalananda Kähäri, National Bioinformatics Infrastructure Sweden (NBIS), Uppsala University, Sweden.
Re: Can SSH report successful connections to pf?
If you want to open gate for those, who authenticated using ssh, you may need authpf(8) (known as Authentication Gateway) https://www.openbsd.org/faq/pf/authpf.html
Re: Can SSH report successful connections to pf?
You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz for successful and unsuccessful logins and then add the unsuccessful logins with pfctl to a blocked table. To have it permanent after a reboot you can write with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset. Like table persist file "/etc/pf.bruteforce" block in quick proto tcp from to any Stefan  Van: owner-m...@openbsd.org namens Luke Small Verzonden: zaterdag 5 mei 2018 00:16 Aan: openbsd-misc Onderwerp: Can SSH report successful connections to pf? Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better?
Re: Can SSH report successful connections to pf?
On 05/05/18 00:16, Luke Small wrote: > Can SSH and possibly other programs more easily able to report successful > connections so pf can make stricter bruteforce connection rejecting even > better? > Hi, could be just me but I didn't get what you want to achieve really. Could you be more specific here? -- Tony GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580 signature.asc Description: OpenPGP digital signature
Can SSH report successful connections to pf?
Can SSH and possibly other programs more easily able to report successful connections so pf can make stricter bruteforce connection rejecting even better?