freebsd-pf Digest, Vol 272, Issue 1
freebsd-p...@freebsd.org
freeb...@freebsd.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
or, via email, send a message with subject or body 'help' to
freebsd-p...@freebsd.org
You can reach the person managing the list at
freebsd-...@freebsd.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of freebsd-pf digest..."
Today's Topics:
1. Re: Limit connections doens't work (olli hauer)
2. RE: Limit connections doesn't work (Torsten Kersandt)
3. Re: Limit connections doesn't work (Tom Uffner)
4. RE: Limit connections doesn't work (Torsten Kersandt)
5. Current problem reports assigned to freeb...@FreeBSD.org
(FreeBSD bugmaster)
----------------------------------------------------------------------
Message: 1
Date: Sun, 06 Dec 2009 14:18:21 +0100
From: olli hauer <oha...@gmx.de>
Subject: Re: Limit connections doens't work
To: Nico De Dobbeleer <ni...@elico-it.be>
Cc: freeb...@freebsd.org
Message-ID: <4B1BAF1D...@gmx.de>
Content-Type: text/plain; charset=UTF-8; format=flowed
Nico De Dobbeleer wrote:
> Hello,
>
> As most of the public ip's my servers are constantly under bruteforce attack see example:
>
> Dec 5 13:56:36 hosting sshd[18621]: Failed password for invalid user tim from 173.10.126.226 port 47871 ssh2
> Dec 5 13:56:37 hosting sshd[18623]: Invalid user support123 from 173.10.126.226
> Dec 5 13:56:39 hosting sshd[18623]: Failed password for invalid user support123 from 173.10.126.226 port 48289 ssh2
...
>
> Now I want to limit the connection over ssh to a specific ipaddress and I added the rules below for that.
> ------------------------------------------------------------------------------------------------------------------
> #Tables
> table <abusive_ips> persist file "/etc/pf.abusive_ips.block.list"
> table <brute> persist
>
> # Rules
>
> block quick from <abusive_ips>
> block quick from <brute>
>
>
> # Limit connections per IP
>
> pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
> (max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)
> pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
> (max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush)
> pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to xx.xx.xx.xx port ssh flags S/SA keep state
> (max-src-conn 10, max-src-conn-rate 3/15, overload <abusive_ips> flush)
> --------------------------------------------------------------------------------------------------------------------
>
> The only problem is that it doesn't work. These rules don't write the abusive ip in the abusif list file or in the <brute> table.
>
> Anyone an idea why it doesn't overload the ip's when the connections per ip are more then 10 of more then 3/15?
- which FreeBSD version is this 6.x 7.x/8.x?
- avoid the quick keyword in the rules with overload
- pf can preload IP's from file specified in
"table <tablename> ... file "/filename" but does not write IP's into
the file. I use the script below to do this on a OpenBSD machine.
- rewrite your rule and avoid the any keyword
pass in on { $ext_if, $int_if, $mng_if } inet proto tcp \
from !<brute> to xx.xx.xx.xx port ssh flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 3/15, overload <brute> flush)
hint:
- look for the additional keyword global (flush global)
- If the IP in your rule is your base IP on $ext_if write it with as
$ext_if:0
this script writes IP's from the bf_* tables into a file so you can
preload them next time pf rules are installed or the machine reboots.
additional it can send you a mail with IP's added to the table and if
GeoIP is installed you get the GeoIP info.
With a little modification of the script/rules It will work for you
#!/bin/sh
##################################################################
# $Source: RCS/pftable_to_file.sh,v $
# OS: OpenBSD
#
# olli hauer
#
##################################################################
# sample rule for pf
# ---------------------------
# block in log quick proto { tcp, udp } from <bf_ssh> \
# to any port ssh label BRUTFORCE-SSH # table for overload connections
#
# pass in log on $if_ext inet proto tcp from ! <bf_ssh> to $if_ext \
# port = ssh flags S/SA keep state \
# (source-track rule, max-src-conn 10, \
# max-src-conn-rate 3/90, overload <bf_ssh> \
# flush global, if-bound, src.track 90) \
# label "SSH"
umask 077
PF_TABLES="bf_mail bf_ssh bf_web"
OUTDIR="/etc/pf"
GEOIP=/usr/local/bin/geoiplookup
# hold the output from pfctl -tx -Ts
TMP_PFCTL=`mktemp /tmp/.tmp_pf_table.XXXXXXXXXX` || exit 1
# hold the diff between old and new
TMP_DIFF=`mktemp /tmp/.tmp_diff.XXXXXXXXXX` || exit 1
trap 'rm -f ${TMP_PFCTL} ${TMP_DIFF}' 0 1 2 3 13 15
[ -d ${OUTDIR} ] || mkdir -p ${OUTDIR}
for TABLE in ${PF_TABLES}; do
# make sure the output file exists
[ -f ${OUTDIR}/${TABLE} ] || /usr/bin/touch ${OUTDIR}/${TABLE}
# extraxt IP's from table
/sbin/pfctl -t${TABLE} -Ts | awk '{print $1}' > ${TMP_PFCTL}
# we need only the '+diff' to grep for this later
/usr/bin/diff -bu ${OUTDIR}/${TABLE} ${TMP_PFCTL} > ${TMP_DIFF}
RETVAL=$?
case ${RETVAL} in
0) continue ;;
1)
# save the old file
if [ -f ${OUTDIR}/${TABLE} ]; then
cp ${OUTDIR}/${TABLE} ${OUTDIR}/${TABLE}.old
fi
# mail message header
date
echo "change in table: ${TABLE}"
echo "------------------------------------"
# lookup the IP in the GeoIP database
if [ -x ${GEOIP} ]; then
for IP in `egrep "^\+[0-9]" ${TMP_DIFF} | tr -d \+`; do
# print the IP wo. linefeed
printf "%-20s # " ${IP}
# strip netmask if we add NET by hand
IPT=`echo ${IP} | sed 's/\/[[:digit:]]*//g'`
# make a short GeoIP output
${GEOIP} ${IPT} | sed 's/ Country Edition//g'
done
else
egrep "^\+[0-9]" ${TMP_DIFF} | tr -d \+
fi
mv ${TMP_PFCTL} ${OUTDIR}/${TABLE}
;;
*) echo "error in diff" ;;
esac
done
small snippet from my bf_ssh file (places with IP rangees I don't visit
in near time)
snippet from file:/etc/pf/bf_ssh
12.0.0.0/8
21.0.0.0/8
24.0.0.0/8
25.0.0.0/8
26.0.0.0/8
28.0.0.0/8
29.0.0.0/8
30.0.0.0/8
32.0.0.0/8
33.0.0.0/8
38.0.0.0/8
58.0.0.0/8
59.0.0.0/8
60.0.0.0/8
61.0.0.0/8
62.0.0.0/8
63.0.0.0/8
64.0.0.0/8
...
216.0.0.0/8
217.0.0.0/8
218.0.0.0/8
219.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
------------------------------
Message: 2
Date: Sun, 6 Dec 2009 16:17:42 -0000
From: "Torsten Kersandt" <tor...@cnc-london.net>
Subject: RE: Limit connections doesn't work
To: <freeb...@freebsd.org>
Message-ID: <015501ca768f$a42353e0$ec69fba0$@net>
Content-Type: text/plain; charset="utf-8"
HI
I personally have all ssh and alike ports closed on my servers.
If I want to connect to the server per ssh or whatever function, I login to a hidden php which adds my current IP to a sql table.
I use sql because I'm not the only one using this and want to keep track which admin is logging in.
A cron job is running every minute looking in the table and adding the new ip addresses to the pf include file and reloading PF
Every night at 4am, I empty the text file and reload pf.
I know that this could be done more elegant but KISS is what I like.
In addition I have tcpserver running a perl script on a non privileged port to add a IP to the sql tables if apache fails.
#!/bin/sh
### MySQL Setup ###
MUSER="username"
MPASS="password"
MHOST="localhost"
MYSQL="/usr/local/bin/mysql"
#
### Get all new IP addresses ###
DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'select ipAddress from intranet.ipCleared WHERE `timestamp` > (UNIX_TIMESTAMP()-60)')"
for ip in $DBS
do
## this bit is emailed to me over cron run-output if a new IP address was found
echo $ip >> /usr/local/etc/pf/pf.VNCallow
echo "Added $ip to VNC Access from MYSQL Table"
/etc/rc.d/pf reload
done
------------------------------
Message: 3
Date: Sun, 06 Dec 2009 18:01:16 -0500
From: Tom Uffner <t...@uffner.com>
Subject: Re: Limit connections doesn't work
To: Torsten Kersandt <tor...@cnc-london.net>
Cc: freeb...@freebsd.org
Message-ID: <4B1C37BC...@uffner.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Torsten Kersandt wrote:
> HI
> I personally have all ssh and alike ports closed on my servers.
> If I want to connect to the server per ssh or whatever function, I login to a hidden php which adds my current IP to a sql table.
> I use sql because I'm not the only one using this and want to keep track which admin is logging in.
> A cron job is running every minute looking in the table and adding the new ip addresses to the pf include file and reloading PF
>
> Every night at 4am, I empty the text file and reload pf.
>
> I know that this could be done more elegant but KISS is what I like.
that script is horribly inefficient and disruptive to your firewall
throughput.
you could save a lot of unnecessary cpu cycles and speed up your
connections a bit by simply replacing the reloads with pfctl
commands that manipulate the table directly.
> #!/bin/sh
> ### MySQL Setup ###
> MUSER="username"
> MPASS="password"
> MHOST="localhost"
> MYSQL="/usr/local/bin/mysql"
> #
> ### Get all new IP addresses ###
> DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'select ipAddress from intranet.ipCleared WHERE `timestamp` > (UNIX_TIMESTAMP()-60)')"
> for ip in $DBS
> do
> ## this bit is emailed to me over cron run-output if a new IP address was found
> echo $ip >> /usr/local/etc/pf/pf.VNCallow
> echo "Added $ip to VNC Access from MYSQL Table"
> /etc/rc.d/pf reload
> done
that loop at the end is anything but KISS.
select the new addresses and add them to the table with something like
pfctl -t VNCallow -T add $DBS
instead of that do loop. for persistence across reboots, select all the
address in your SQL table & add them to the pf table when pf starts.
clear the table with
pfctl -t VNCallow -T flush
------------------------------
Message: 4
Date: Mon, 7 Dec 2009 09:42:53 -0000
From: "Torsten Kersandt" <tor...@cnc-london.net>
Subject: RE: Limit connections doesn't work
To: "'Tom Uffner'" <t...@uffner.com>
Cc: freeb...@freebsd.org
Message-ID: <017601ca7721$a69550f0$f3bff2d0$@net>
Content-Type: text/plain; charset="us-ascii"
HI tom
I know, and this is what I said.
Yes you right and can replace the reload and put it into the a table with
the pf command.
But the server is on a 1mb/10mb ADSL line and trough put does not really
matter.
It was send as an example only not as a must do. This script have done 5
years ago as a quick hack
And because I'm not a expert with PF, I'm subscribed to this list so I can
learn without prejudice
Torsten
-----Original Message-----
From: Tom Uffner [mailto:t...@uffner.com]
Sent: 06 December 2009 23:01
To: Torsten Kersandt
Cc: freeb...@freebsd.org
Subject: Re: Limit connections doesn't work
Torsten Kersandt wrote:
> HI
> I personally have all ssh and alike ports closed on my servers.
> If I want to connect to the server per ssh or whatever function, I login
to a hidden php which adds my current IP to a sql table.
> I use sql because I'm not the only one using this and want to keep track
which admin is logging in.
> A cron job is running every minute looking in the table and adding the new
ip addresses to the pf include file and reloading PF
>
> Every night at 4am, I empty the text file and reload pf.
>
> I know that this could be done more elegant but KISS is what I like.
that script is horribly inefficient and disruptive to your firewall
throughput.
you could save a lot of unnecessary cpu cycles and speed up your
connections a bit by simply replacing the reloads with pfctl
commands that manipulate the table directly.
> #!/bin/sh
> ### MySQL Setup ###
> MUSER="username"
> MPASS="password"
> MHOST="localhost"
> MYSQL="/usr/local/bin/mysql"
> #
> ### Get all new IP addresses ###
> DBS="$($MYSQL -u $MUSER -h $MHOST -p$MPASS -Bse 'select ipAddress from
intranet.ipCleared WHERE `timestamp` > (UNIX_TIMESTAMP()-60)')"
> for ip in $DBS
> do
> ## this bit is emailed to me over cron run-output if a new IP address was
found
> echo $ip >> /usr/local/etc/pf/pf.VNCallow
> echo "Added $ip to VNC Access from MYSQL Table"
> /etc/rc.d/pf reload
> done
that loop at the end is anything but KISS.
select the new addresses and add them to the table with something like
pfctl -t VNCallow -T add $DBS
instead of that do loop. for persistence across reboots, select all the
address in your SQL table & add them to the pf table when pf starts.
clear the table with
pfctl -t VNCallow -T flush
------------------------------
Message: 5
Date: Mon, 7 Dec 2009 11:07:00 GMT
From: FreeBSD bugmaster <bugm...@FreeBSD.org>
Subject: Current problem reports assigned to freeb...@FreeBSD.org
To: freeb...@FreeBSD.org
Message-ID: <200912071107....@freefall.freebsd.org>
Note: to view an individual PR, use:
http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).
The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.
S Tracker Resp. Description
--------------------------------------------------------------------------------
o kern/140697 pf [pf] pf behaviour changes - must be documented
o kern/137982 pf [pf] when pf can hit state limits, random IP failures
o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg
o kern/135948 pf [pf] [gre] pf not natting gre protocol
o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel
o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w
o kern/133732 pf [pf] max-src-conn issue
o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent
f kern/132176 pf [pf] pf stalls connection when using route-to [regress
o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st
o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co
o kern/127920 pf [pf] ipv6 and synproxy don't play well together
o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w
o kern/127439 pf [pf] deadlock in pf
f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression]
o kern/127121 pf [pf] [patch] pf incorrect log priority
o kern/127042 pf [pf] [patch] pf recursion panic if interface group is
o kern/125467 pf [pf] pf keep state bug while handling sessions between
s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented
o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge
o kern/122773 pf [pf] pf doesn't log uid or pid when configured to
o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf
o kern/121704 pf [pf] PF mangles loopback packets
o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr
o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c
o bin/118355 pf [pf] [patch] pfctl(8) help message options order false
o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c
o kern/114095 pf [carp] carp+pf delay with high state limit
o kern/111220 pf [pf] repeatable hangs while manipulating pf tables
s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5.
o kern/103283 pf pfsync fails to sucessfully transfer some sessions
o kern/103281 pf pfsync reports bulk update failures
o kern/93825 pf [pf] pf reply-to doesn't work
o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s
o kern/92949 pf [pf] PF + ALTQ problems with latency
o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf.
o kern/82271 pf [pf] cbq scheduler cause bad latency
37 problems total.
------------------------------
End of freebsd-pf Digest, Vol 272, Issue 1
******************************************