Re: blacklistd analogue

2021-03-29 Thread Pierre Emeriaud 
Le jeu. 25 mars 2021 à 19:45, Kapetanakis Giannis
 a écrit :
>
> How about a distributed setup?
>
> Has anyone thought of a way getting IPs from various servers (say linux
> & fail2ban) to the central OpenBSD (pf) firewall?

I send all my logs to a centralised syslog which runs fail2ban, and
instead of using pf here, fail2ban injects bgp routes of "attackers"
to my network.

Then either an openbsd border firewall adds those prefixes to a pf
table to drop the traffic from, or on a linux out-of-as host this
installs a null route. With urpf enabled traffic gets dropped at
ingress.

This setup could scale a lot, bgp was made for distributing prefixes.

Re: blacklistd analogue

2021-03-27 Thread Vincent 
Hello,

I've build a python3 deamon which look for specific patterns in any log file. 
For each of those patterns you assign a weight. Once the max weight is reached 
in a period of time the associated IP is added to a pf table for a certain 
amount of time (1 day typically but can be changed).
You must know python regex to tune it to your specific needs. But samples can 
guide you.


 Details here
https://www.vincentdelft.be/post/post_20170517


Vincent

On March 24, 2021 7:33:35 PM GMT+01:00, jeanpierre 
 wrote:
>Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
>
>For the sake of completeness: blacklistd is a daemon that, using pf
>anchors, blocks connections from abusive hosts to parctiular services
>(e.g. sshd) until they start behaving themselves again.
>
>I find it very useful for timming down log files.
>
>Regards,
>Jean-Pierre

Re: blacklistd analogue

2021-03-25 Thread Holger Glaess 

hi


you can do this with ossec.net


holger


Am 25.03.21 um 18:00 schrieb Kapetanakis Giannis:

How about a distributed setup?

Has anyone thought of a way getting IPs from various servers (say 
linux & fail2ban) to the central OpenBSD (pf) firewall?


Ideally with history in order to punish more the frequent abusers.

I had plans on looking to bgp to distribute the IPs around but maybe 
there is already a better way doing this.


thanks and sorry for hijacking but I believe its quite relevant.

G

On 3/25/21 10:57 AM, Matthias Pressfreund wrote:

You could try this: https://github.com/mpfr/pftbld

It uses pf tables instead of anchors to achieve the same goal.

Handling sshd abusers may be accomplished by first using pf 
source-tracking

to catch them. For example:

-
table  persist
block in quick from 
pass in    on egress proto tcp to egress port ssh keep state ( \
max-src-conn 50, max-src-conn-rate 5/180 \
overload  flush global \
)
--

After that, abusers may be fed to pftbld by a cron-controlled script.
For example:

--
#!/bin/ksh
table='abusers_catch'
pftblctl='/usr/local/sbin/pftblctl'
sock='/var/run/pftbld-abuse.sock'
pfctl -t ${table} -T show | while read -r ip; do
[[ $(${pftblctl} -s ${sock} "${ip}") = 'ACK' ]] \
    && pfctl -q -t ${table} -T delete ${ip}
done
--

Handling httpd abusers is more simple and straightforward, as shown 
in the

pftbld documentation.



On 2021-03-24 19:33, jeanpierre wrote:

Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?

For the sake of completeness: blacklistd is a daemon that, using pf
anchors, blocks connections from abusive hosts to parctiular services
(e.g. sshd) until they start behaving themselves again.

I find it very useful for timming down log files.

Regards,
Jean-Pierre

Re: blacklistd analogue

2021-03-25 Thread Stuart Henderson 
On 2021-03-25, Kapetanakis Giannis  wrote:
> How about a distributed setup?

Not on OpenBSD yet but there is "crowdsec"

Re: blacklistd analogue

2021-03-25 Thread Lars Noodén 
On 3/25/21 7:00 PM, Kapetanakis Giannis wrote:
[snip]> I had plans on looking to bgp to distribute the IPs around but maybe
> there is already a better way doing this.
[snip]

I read this one a while back:

"Using OpenBGPD to distribute pf table updates to your servers"
https://www.echothrust.com/blogs/using-openbgpd-distribute-pf-table-updates-your-servers

/Lars

Re: blacklistd analogue

2021-03-25 Thread Daniel Jakots 
On Thu, 25 Mar 2021 19:00:52 +0200, Kapetanakis Giannis
 wrote:

> How about a distributed setup?
> 
> Has anyone thought of a way getting IPs from various servers (say
> linux & fail2ban) to the central OpenBSD (pf) firewall?
> 
> Ideally with history in order to punish more the frequent abusers.
> 
> I had plans on looking to bgp to distribute the IPs around but maybe 
> there is already a better way doing this.
> 
> thanks and sorry for hijacking but I believe its quite relevant.

I did this for my machines: https://chown.me/blog/acacia

It's not clever enough to punish more the frequent abusers though.

Cheers,
Daniel

Re: blacklistd analogue

2021-03-25 Thread Kapetanakis Giannis 

How about a distributed setup?

Has anyone thought of a way getting IPs from various servers (say linux 
& fail2ban) to the central OpenBSD (pf) firewall?


Ideally with history in order to punish more the frequent abusers.

I had plans on looking to bgp to distribute the IPs around but maybe 
there is already a better way doing this.


thanks and sorry for hijacking but I believe its quite relevant.

G

On 3/25/21 10:57 AM, Matthias Pressfreund wrote:

You could try this: https://github.com/mpfr/pftbld

It uses pf tables instead of anchors to achieve the same goal.

Handling sshd abusers may be accomplished by first using pf source-tracking
to catch them. For example:

-
table  persist
block in quick from 
pass in on egress proto tcp to egress port ssh keep state ( \
max-src-conn 50, max-src-conn-rate 5/180 \
overload  flush global \
)
--

After that, abusers may be fed to pftbld by a cron-controlled script.
For example:

--
#!/bin/ksh
table='abusers_catch'
pftblctl='/usr/local/sbin/pftblctl'
sock='/var/run/pftbld-abuse.sock'
pfctl -t ${table} -T show | while read -r ip; do
[[ $(${pftblctl} -s ${sock} "${ip}") = 'ACK' ]] \
&& pfctl -q -t ${table} -T delete ${ip}
done
--

Handling httpd abusers is more simple and straightforward, as shown in the
pftbld documentation.



On 2021-03-24 19:33, jeanpierre wrote:

Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?

For the sake of completeness: blacklistd is a daemon that, using pf
anchors, blocks connections from abusive hosts to parctiular services
(e.g. sshd) until they start behaving themselves again.

I find it very useful for timming down log files.

Regards,
Jean-Pierre

Re: blacklistd analogue

2021-03-25 Thread Matthias Pressfreund 
You could try this: https://github.com/mpfr/pftbld

It uses pf tables instead of anchors to achieve the same goal.

Handling sshd abusers may be accomplished by first using pf source-tracking
to catch them. For example:

-
table  persist
block in quick from 
pass in on egress proto tcp to egress port ssh keep state ( \
max-src-conn 50, max-src-conn-rate 5/180 \
overload  flush global \
)
--

After that, abusers may be fed to pftbld by a cron-controlled script.
For example:

--
#!/bin/ksh
table='abusers_catch'
pftblctl='/usr/local/sbin/pftblctl'
sock='/var/run/pftbld-abuse.sock'
pfctl -t ${table} -T show | while read -r ip; do
[[ $(${pftblctl} -s ${sock} "${ip}") = 'ACK' ]] \
&& pfctl -q -t ${table} -T delete ${ip}
done
--

Handling httpd abusers is more simple and straightforward, as shown in the
pftbld documentation.



On 2021-03-24 19:33, jeanpierre wrote:
> Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
> 
> For the sake of completeness: blacklistd is a daemon that, using pf
> anchors, blocks connections from abusive hosts to parctiular services
> (e.g. sshd) until they start behaving themselves again.
> 
> I find it very useful for timming down log files.
> 
> Regards,
> Jean-Pierre
>

Re: blacklistd analogue

2021-03-25 Thread Родин Максим 

Hello,
Why not just use a script that reads auth logs and adds abusive hosts to 
pf table using some patterns?

And you then decide what to do with addresses in that table and how long
should they stay in that table.

user~$ pfctl -t bad_ips -T show | wc -l
   69079

24.03.2021 21:33, jeanpierre пишет:

Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?

For the sake of completeness: blacklistd is a daemon that, using pf
anchors, blocks connections from abusive hosts to parctiular services
(e.g. sshd) until they start behaving themselves again.

I find it very useful for timming down log files.

Regards,
Jean-Pierre



--
С уважением,
Родин Максим

Re: blacklistd analogue

2021-03-24 Thread Stuart Henderson 
On 2021-03-24, jeanpierre  wrote:
> Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
>
> For the sake of completeness: blacklistd is a daemon that, using pf
> anchors, blocks connections from abusive hosts to parctiular services
> (e.g. sshd) until they start behaving themselves again.
>
> I find it very useful for timming down log files.
>
> Regards,
> Jean-Pierre
>
>

sshguard (in ports) should do something like this.

sometimes PF's built-in source-tracking (max-src-conn-rate)
is good enough.

another way is to block all connections, except from specific
wanted IPs, or connections over VPN.

Re: blacklistd analogue

2021-03-24 Thread Jordan Geoghegan 


On 3/24/21 11:48 AM, Peter Nicolai Mathias Hansteen wrote:
>> 24. mar. 2021 kl. 19:33 skrev jeanpierre 
>> :
>>
>> Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
>>
>> For the sake of completeness: blacklistd is a daemon that, using pf
>> anchors, blocks connections from abusive hosts to parctiular services
>> (e.g. sshd) until they start behaving themselves again.
>>
>> I find it very useful for timming down log files.
> Not in the base system but you might want to take a peek at pf-badhosts 
> (described among other places in this OpenBSD Journal article 
> https://undeadly.org/cgi?action=article;sid=20210119113425 
> ) which should be 
> fairly easy to adapt to using more or other sources such as the bsdly.net 
>  feed maintained mainly by kind robots under supervision 
> by yours truly (see 
> https://bsdly.blogspot.com/2018/08/badness-enumerated-by-robots.html 
>  and 
> links therein and in the proximity)
>
> Cheers,
> Peter
>
> —
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>

I use Peter's "bruteforcers" list on my personal pf-badhost installs. 
pf-badhost will happily parse and ingest the IPv4 and IPv6 data in Peter's 
blocklists.

Just use the '-l' option to include an additional URL. Something like this 
should work to include his lists:

    $ pf-badhost -O openbsd -l 'https://www.bsdly.net/~peter/bruteforcers.txt'

I intend to include this among the default lists in the next release -- the 
only reason it wasn't included in v0.5 was because I discovered it too late.

Happy bot blocking!

Regards,

Jordan

Re: blacklistd analogue

2021-03-24 Thread Peter Nicolai Mathias Hansteen 


> 24. mar. 2021 kl. 19:33 skrev jeanpierre 
> :
> 
> Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
> 
> For the sake of completeness: blacklistd is a daemon that, using pf
> anchors, blocks connections from abusive hosts to parctiular services
> (e.g. sshd) until they start behaving themselves again.
> 
> I find it very useful for timming down log files.

Not in the base system but you might want to take a peek at pf-badhosts 
(described among other places in this OpenBSD Journal article 
https://undeadly.org/cgi?action=article;sid=20210119113425 
) which should be 
fairly easy to adapt to using more or other sources such as the bsdly.net 
 feed maintained mainly by kind robots under supervision by 
yours truly (see 
https://bsdly.blogspot.com/2018/08/badness-enumerated-by-robots.html 
 and 
links therein and in the proximity)

Cheers,
Peter

—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.






signature.asc
Description: Message signed with OpenPGP

Re: blacklistd analogue

2021-03-24 Thread Thomas Windisch 
On Wed, Mar 24, 2021 at 08:33:35PM +0200, jeanpierre wrote:
> Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
> 
> For the sake of completeness: blacklistd is a daemon that, using pf
> anchors, blocks connections from abusive hosts to parctiular services
> (e.g. sshd) until they start behaving themselves again.
> 
> I find it very useful for timming down log files.
> 
> Regards,
> Jean-Pierre
> 

I believe that you would be able to achieve that with pf:

https://www.openbsd.org/faq/pf/filter.html#stateopts

blacklistd analogue

2021-03-24 Thread jeanpierre 
Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?

For the sake of completeness: blacklistd is a daemon that, using pf
anchors, blocks connections from abusive hosts to parctiular services
(e.g. sshd) until they start behaving themselves again.

I find it very useful for timming down log files.

Regards,
Jean-Pierre