Solved [Solved] sshguard vs pf Stateful Tracking Option (STO)

Hello,

I am currently running FreeBSD 10 with pf firewall and sshguard to protect myselft against brute force attacks.
/etc/rc.conf
Code:
sshguard_enable="YES"
sshguard_safety_thresh="30"
sshguard_pardon_min_interval="600"
sshguard_prescribe_interval="7200"
I have been reading on the internet that I could achieve the same protection and reduce the amount of daemon that is running on the system by using PF Stateful Tracking Option (STO)
/etc/pf.conf
Code:
SshSTO ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"
block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any
pass in log on $ExtIf inet proto tcp from any to ($ExtIf) port ssh $SshSTO

Could anyone advise if this is the case or not and the advantage / disadvantage of doing that?
Can I keep my jails protected using STO?
Thank you

Fred
 
Re: sshguard vs pf Stateful Tracking Option (STO)

Keep using the security/sshguard-pf daemon, it can detect lot more attack types than a simple connection rate limiting (that's what the PF feature should be called, stateful tracking is the basic connection tracking mechanism) by PF can do.
 
fred974 said:
Hello,

I am currently running FreeBSD 10 with pf firewall and sshguard to protect myselft against brute force attacks.
/etc/rc.conf
Code:
sshguard_enable="YES"
sshguard_safety_thresh="30"
sshguard_pardon_min_interval="600"
sshguard_prescribe_interval="7200"
I have been reading on the internet that I could achieve the same protection and reduce the amount of daemon that is running on the system by using PF Stateful Tracking Option (STO)
/etc/pf.conf
Code:
SshSTO ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"
block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any
pass in log on $ExtIf inet proto tcp from any to ($ExtIf) port ssh $SshSTO

Could anyone advise if this is the case or not and the advantage / disadvantage of doing that?
Can I keep my jails protected using STO?
Thank you

Fred

Use both! Please refer to this thread for the reasons behind it.

viewtopic.php?f=43&t=44255&hilit=+sshguard
 
fred974 said:
Just another quick one...
Can fail2ban secure both FreeBSD host and jails?
Linux bloatware written in Python. I am using on my Red Hat servers (circa 50 of them). I didn't find it usefull on OpenBSD but not sure about FreeBSD.
 
sshguard and pf Stateful Tracking advise please

Hello everyone,

At the moment I am using pf and security/sshguard to protect the server from brute force. My current pf.conf file is:
Code:
ext_if="bce0"

IP_FREEBSD_HOST="192.168.0.155"
IP_WEB="192.168.0.125"
SSH_HOSTS= "{" $IP_FREEBSD_HOST $IP_WEB "}"

PORT_SSH="{22,1913}"

table <workssh> { 192.168.0.1/24,218.146.158.224}
table <sshguard> persist

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [filtering]
pass out all
block in all

# block all IPs from  sshguard-pf blocklist without any further evaluation
block drop in log quick on $ext_if inet from <sshguard> to any

# Allow ssh traffic from authorise hosts only
pass in quick proto tcp from <workssh> to $SSH_HOSTS port $PORT_SSH
I read and was advised on this forum to combine security/sshguard with PF's Stateful Tracking Option (STO). Could someone tell me if my new pf.conf file will do the job?
Code:
ext_if="bce0"

IP_FREEBSD_HOST="192.168.0.155"
IP_WEB="192.168.0.125"
SSH_HOSTS= "{" $IP_FREEBSD_HOST $IP_WEB "}"

PORT_SSH="{22,1913}"

### Stateful Tracking Options (STO) ###
SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <sshguard> flush global)"

table <workssh> { 192.168.0.1/24,218.146.158.224}
table <sshguard> persist

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [filtering]
pass out all
block in all

# block all IPs from  sshguard-pf blocklist without any further evaluation
block drop in log quick on $ext_if inet from <sshguard> to any

# Allow ssh traffic from authorise hosts only
pass in log on $ExtIf inet proto tcp from <workssh> to $SSH_HOSTS port $PORT_SSH $SshST
or should I remove the
Code:
SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <sshguard> flush global)"
pass in log on $ExtIf inet proto tcp from <workssh> to ($SSH_HOSTS) port $PORT_SSH $SshST
and only do
Code:
pass log on $ext_if inet proto tcp from <workssh> to $SSH_HOSTS port $PORT_SSH \
    flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, \
     overload <sshguard> flush global)
 
Re: sshguard vs pf Stateful Tracking Option (STO)

This is what I decided to do in the end:
Code:
ext_if="bce0"

IP_FREEBSD_HOST="192.168.0.155"
IP_WEB="192.168.0.125"
SSH_HOSTS= "{" $IP_FREEBSD_HOST $IP_WEB "}"

PORT_SSH="{22,1913}"

table <workssh> { 192.168.0.1/24,218.146.158.224}
table <sshguard> persist

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [filtering]
pass out all
block in all

# block all IPs from  sshguard-pf blocklist without any further evaluation
block drop in log quick on $ext_if inet from <sshguard> to any

# Allow ssh traffic from authorise hosts only
pass log on $ext_if inet proto tcp from <workssh> to $SSH_HOSTS port $PORT_SSH \
    flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, \
     overload <sshguard> flush global)
I'll mark the post as SOLVED but please tell me if what I did is wrong

Thank you
 
Back
Top