Re: Can SSH report successful connections to pf?

2018-05-11 Thread Lampshade 

>At the end of a "pass" rule in pf.conf, the author adds:
>
> max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload  flush global
>
>which means:
>
> "any source can only have a total of three connections,
> and they may not create them at a rate faster than two
> every five minutes. If they do, they will be added to the
> abusers table and every packet/session will be globally
> dropped."
>
>I locked myself out of many boxes thanks to that.

As Peter pointed out it is best to set timeout/expiry date for IPs in blocklist.
One can also create whitelist for you own IPs. Personally I had checked IP
my ISP gave me, then checked by online services what AS number and CIDR
this IP is contained in. Then added to whitelist table. It creates some
hole in firewall, but proactive firewall based on blocklists in itself isn't 
strong
protection. It is mostly useful for performance reasons.

Re: Can SSH report successful connections to pf?

2018-05-05 Thread Luke Small 
Cool!
On Sat, May 5, 2018 at 3:17 AM Andreas Kusalananda Kähäri <
andreas.kah...@icm.uu.se> wrote:

> On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote:
> >
> > You might want to parse /var/log/authlog and the logrotated
> authlog.[0-9].gz
> > for successful and unsuccessful logins and then add the unsuccessful
> logins
> > with pfctl to a blocked table. To have it permanent after a reboot you
> can write
> > with pfctl the blocked ip's to a file, which you re-read in a pf.conf
> ruleset.
> >
> > Like
> > table  persist file "/etc/pf.bruteforce"
> > block in quick proto tcp from  to any
> >
> > Stefan
>
> This is *exactly* what sshguard does.  I have an updated
> security/sshguard port (previously posted to the ports list) that
> understands our sshd's log output, but it has not yet been comitted.
> There is currently some kind of issue with it preventing it from
> starting at boot (but always starts with "rcctl start sshguard").  I
> haven't looked too deeply at that yet though.
>
> Regards,
>
>
> --
> Andreas Kusalananda Kähäri,
> National Bioinformatics Infrastructure Sweden (NBIS),
> Uppsala University, Sweden.
>

Re: Can SSH report successful connections to pf?

2018-05-05 Thread Peter N. M. Hansteen 
On 05/05/18 01:56, Kapfhammer, Stefan wrote:
> 
> You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz
> for successful and unsuccessful logins and then add the unsuccessful logins
> with pfctl to a blocked table. To have it permanent after a reboot you can 
> write
> with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset.
> 
> Like
> table  persist file "/etc/pf.bruteforce"
> block in quick proto tcp from  to any

The problem here is what logon attempt frequency and which number of
simultaneous connections you set as acceptable.

You *will* at some point end up blocking yourself based on those
criteria, even more certainly so if you're chasing the relatively slow
attackers, and if you allow password logins at all, valid users will
occasionally mistype their passwords.

For those reasons, I ended up with a regime that block drops according
to something like

# ---
table  persist counters file "/var/tmp/bruteforce"

block drop log (all) quick from  label bruteforce

pass in quick log (all) on egress proto tcp to port ssh flags S/SA keep
state \
(max-src-conn 15, max-src-conn-rate 2/10, overload 
flush global, pflow)

and just because I can, 28 day expiry, and a cron job that dumps table
contents to file at reasonable intervals.

The bruteforce table is never empty, and the bulk of the miscreants will
will be caught this way. After trying various fully automatic variants
that all bit back in various ways, I ended up  determining that scanning
the logs manually when I have time (typically once or twice per day) was
sufficient to catch the rest. Then I add to the bruteforce table and
harvest local parts for the spamtraps.

Some of my scribbles on this can be found at
https://bsdly.blogspot.no/2017/04/forcing-password-gropers-through.html
and
http://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-lessons-learned.html
(with references)

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Can SSH report successful connections to pf?

2018-05-05 Thread Stuart Henderson 
On 2018-05-04, Kapfhammer, Stefan  wrote:
>
> You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz

This wheel has been invented several times, if someone wants to make
their own they should study revisions to past designs as there have
been some nasty problems fixed along the way.

Rather than parsing authlog from disk, it's better to have syslogd
pipe to a command instead.

Re: Can SSH report successful connections to pf?

2018-05-05 Thread Etienne 

On 04/05/18 23:16, Luke Small wrote:

Can SSH and possibly other programs more easily able to report successful
connections so pf can make stricter bruteforce connection rejecting even
better?


See this paper, that might contain what you're trying to achieve:

https://www.sans.org/reading-room/whitepapers/firewalls/cleaning-yard-discussion-mothers-home-network-security-32933


At the end of a "pass" rule in pf.conf, the author adds:

max‐src‐conn 3, max‐src‐conn‐rate 2/5, overload  flush global

which means:

"any source can only have a total of three connections,
and they may not create them at a rate faster than two
every five minutes. If they do, they will be added to the
abusers table and every packet/session will be globally
dropped."

I locked myself out of many boxes thanks to that.

--
Étienne

Re: Can SSH report successful connections to pf?

2018-05-05 Thread Andreas Kusalananda Kähäri 
On Fri, May 04, 2018 at 11:56:33PM +, Kapfhammer, Stefan wrote:
> 
> You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz
> for successful and unsuccessful logins and then add the unsuccessful logins
> with pfctl to a blocked table. To have it permanent after a reboot you can 
> write
> with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset.
> 
> Like
> table  persist file "/etc/pf.bruteforce"
> block in quick proto tcp from  to any
> 
> Stefan

This is *exactly* what sshguard does.  I have an updated
security/sshguard port (previously posted to the ports list) that
understands our sshd's log output, but it has not yet been comitted.
There is currently some kind of issue with it preventing it from
starting at boot (but always starts with "rcctl start sshguard").  I
haven't looked too deeply at that yet though.

Regards,


-- 
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.

Re: Can SSH report successful connections to pf?

2018-05-04 Thread IL Ka 
If you want to open gate for those, who authenticated using ssh, you may
need authpf(8)  (known as Authentication Gateway)
https://www.openbsd.org/faq/pf/authpf.html

Re: Can SSH report successful connections to pf?

2018-05-04 Thread Kapfhammer, Stefan 

You might want to parse /var/log/authlog and the logrotated authlog.[0-9].gz
for successful and unsuccessful logins and then add the unsuccessful logins
with pfctl to a blocked table. To have it permanent after a reboot you can write
with pfctl the blocked ip's to a file, which you re-read in a pf.conf ruleset.

Like
table  persist file "/etc/pf.bruteforce"
block in quick proto tcp from  to any

Stefan






Van: owner-m...@openbsd.org <owner-m...@openbsd.org> namens Luke Small 
<lukensm...@gmail.com>
Verzonden: zaterdag 5 mei 2018 00:16
Aan: openbsd-misc
Onderwerp: Can SSH report successful connections to pf?

Can SSH and possibly other programs more easily able to report successful
connections so pf can make stricter bruteforce connection rejecting even
better?

Re: Can SSH report successful connections to pf?

2018-05-04 Thread Tony Boston 
On 05/05/18 00:16, Luke Small wrote:
> Can SSH and possibly other programs more easily able to report successful
> connections so pf can make stricter bruteforce connection rejecting even
> better?
>

Hi,

could be just me but I didn't get what you want to achieve really.

Could you be more specific here?

-- 
Tony

GPG-FP: 913BBD25 8DA503C7 BAE0C0B6 8995E906 4FBAD580



signature.asc
Description: OpenPGP digital signature

Can SSH report successful connections to pf?

2018-05-04 Thread Luke Small 
Can SSH and possibly other programs more easily able to report successful
connections so pf can make stricter bruteforce connection rejecting even
better?