I would like to block all the incoming traffic for a specific port and to put the source ips of these blocked packets into a table... I don't know about a pf.conf solution, I guess I would use another kind of trick but I really don't know which! Maybe by the use of a script listening on tcp dumps from a specific pflog interface which receives logs about those blocked packets and report the ips to pfctl add-to-table command..? Any idea of the lighter weighted fashion to achieve it?
Asked
Active
Viewed 887 times
0
-
iptables log to mysql maybe? `http://linuxgazette.net/121/anonymous.html` – Gmck Apr 02 '17 at 04:13
-
I am using Packet Filter in Freebsd! I need to add the ips in a Packet Filter's table which is just a file :-) – Psyloh Apr 02 '17 at 09:28
-
Didn't realize it was BSD - even with pfctl noted! My bad. It sounds like you want to block brute force attempts maybe? If so, you can use max-src-conn-rate that will do this and you will not need to maintain a table. There are lots of sources of how to docs available. One for ssh - `https://home.nuug.no/~peter/pf/en/bruteforce.html` – Gmck Apr 05 '17 at 08:12
-
I know how to ward against brute force attacks, I already set up such protection for open ports but I would like to ban ips who try to knock port 22 which is not open ^^ I could listen port 22 with a custom script that writes in table, but how? – Psyloh Apr 05 '17 at 17:23
1 Answers
1
I use this configuration on my servers, basically I have a table with trusted IPs and one table with ones that tries to bruteforce on SSH (few cases when it's open to the world).
Create a new file in /etc/trusted and put your own ip address/es (one per line).
Open/create /etc/firewall and put in your rules (i.e. HTTP/S, SSH):
#######################################################################
me="vtnet0"
table <bruteforcers> persist
table <trusted> persist file "/etc/trusted"
icmp_types = "echoreq"
junk_ports="{ 135,137,138,139,445,68,67,3222 }"
junk_ip="224.0.0.0/4"
set loginterface vtnet0
scrub on vtnet0 reassemble tcp no-df random-id
# ---- First rule obligatory "Pass all on loopback"
pass quick on lo0 all
# ---- Block junk logs
block quick proto { tcp, udp } from any to $junk_ip
block quick proto { tcp, udp } from any to any port $junk_ports
# ---- Second rule "Block all in and pass all out"
block in log all
pass out all keep state
############### FIREWALL ###############################################
# ---- Allow all traffic from my office
pass quick proto {tcp, udp} from 1.2.3.4 to $me keep state
# ---- Allow incoming Web traffic
pass quick proto tcp from any to $me port { 80, 443 } flags S/SA keep state
# ---- Block bruteforcers
block log quick from <bruteforcers>
# ---- Allow SSH from trusted sources, but block bruteforcers
pass quick proto tcp from <trusted> to $me port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 20/60, \
overload <bruteforcers> flush global)
# ---- Allow ICMP
pass in inet proto icmp all icmp-type $icmp_types keep state
pass out inet proto icmp all icmp-type $icmp_types keep state
Update your /etc/rc.conf
pf_enable="YES"
pf_rules="/etc/firewall"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
See if you have someone in bruteforcers table:
pfctl -t bruteforcers -T show
Andrea Sessa
- 111
- 2
-
That's exactly what I'm doing since it's the straightforward and common way of management! But I would like to protect my server against slow bruteforcers as well and anyone that is attempting to scan my ports... The idea is to set some unused ports as open capturing traps! If someone attempts to contact port 22 and some others, their ip is definitely banned by PF :-) This is what I need to set up but I don't know yet how I would do so... – Psyloh Apr 25 '17 at 10:36
-
Oh, i missed that point on the question, have you already tried with honeyd and custom scripts ? – Andrea Sessa Apr 26 '17 at 10:53
-
Ah cool! I searched about honeyd and ended up with an awesome possibility! I could let anyone in a virtual honeypot and capture the keystrokes..! I would probably learn a lot by spying attackers instead of trying to lure them out..! Plus, denying any ip that contacted port 22 will result in a huge table file :-s And there may be needed to flush the file periodically... But I didn't spotted such possibility in honeyd features... Am I mistaken? Do you know an open source solution that would fit the need? Thx :-) – Psyloh May 02 '17 at 18:07