block all connection on ssh command

[Lames]

Hi,

I use FreeBSD 9.0 on 64bit HP server. I use ALTQ, so I recompiled the kernel with added instructions:

# Packet Filter
device          pf
device          pflog
device          pfsync

options         ALTQ
options         ALTQ_CBQ
options         ALTQ_RED
options         ALTQ_RIO
options         ALTQ_HFSC
options         ALTQ_PRIQ
#options        ALTQ_NOPCC # En SMP uniquement (machines multi-processeurs)

Reboot is ok. Then I configured PF for in/out filtering, QoS, brute-force protection.

ext_if = "em0" 
tcp_port_ftp = "{ 20, 21 }" 
udp_port_dns = "{ 53 }" 
udp_port_snmp = "{ 161 }" 
tcp_port = "{ 20, 21 , 25, 80, 110 , 143, 8025 , 4949}" 
tcp_port_ssh = "{ 22 }" 
icmp_types = "echoreq" 


# Ne pas filtrer sur l'interface de bouclage 
set skip on lo0 

# Normalisation de tous les paquets entrants. 
scrub in all 

#QoS paquets sortants 
#http://www.freebsdonline.com/content/view/512/531/ 
# adjust to your taste 25Mo/s 
altq on $ext_if cbq bandwidth 25Mb queue { dflt, ssh } 
queue dflt bandwidth 70% cbq( default ) 
queue ssh bandwidth 20% cbq 


# Mise en place d'une politique d'interdiction par defaut. 
block in all 
block out all 

# Activation de la protection contre l'usurpation sur toutes les interfaces. 
antispoof log quick for $ext_if inet 
#antispoof log for { $ext_if, lo0 } inet 

# activate spoofing protection for all interfaces 
block in quick from urpf-failed 

#Regles pour ICMP 
pass in inet proto icmp all icmp-type $icmp_types 

# Regle pour laisser passer les connections entrantes vers le serveur 
pass in on $ext_if proto tcp from any to $ext_if port $tcp_port queue dflt 

#pour SSH (regle à part si QoS) 
#pass in on $ext_if proto tcp from any to $ext_if port $tcp_port_ssh 
pass in on $ext_if proto tcp from any to $ext_if port $tcp_port_ssh queue ssh 

#Autoriser les requetes SNMP entrantes 
pass in on $ext_if proto udp from 91.212.205.0/24 to $ext_if port $udp_port_snmp 

#Activer la regle suivante si le serveur comporte un serveur DNS 
#avec des clients externes qui requetent dessus 
#pass in on $ext_if proto udp from any to $ext_if port $udp_port_dns 
pass out on $ext_if proto udp from $ext_if  port $udp_port_dns to any 

#Activer les requetes DNS a des serveurs distant 
pass out on $ext_if proto udp from $ext_if to any port $udp_port_dns 

#autorise tout le traffic sortant issu des services installe 
pass out on $ext_if proto tcp from $ext_if port $tcp_port to any queue dflt 

pass out on $ext_if proto tcp from $ext_if port $tcp_port_ssh to any 
#pass out on $ext_if proto tcp from $ext_if  port $tcp_port_ssh queue ssh to any 

# on autorise les connexions 4242 sur le reseau local 
pass in on $ext_if proto tcp from 91.212.205.0/24 to $ext_if port 4242 
pass out on $ext_if proto tcp from $ext_if to 91.212.205.0/24 port 4242

#on autorise les connexions vers des serveurs web distants 
pass out on $ext_if proto tcp from $ext_if to any port 80 
pass out on $ext_if proto tcp from $ext_if to any port 443 
pass out on $ext_if proto tcp from $ext_if to any port 25 

#autorisation connexion serveur de temps distant 
pass in on $ext_if proto udp from 195.220.94.163 port 123 to $ext_if
pass out on $ext_if proto udp from $ext_if to 195.220.94.163 port 123 

# On charge les regles de ftpsesame pour l'IPconntrack FTP 
anchor "ftpsesame/*" on $ext_if 

#Protection contre le brut-force 
# On crée deux tables 
#table <ssh_abuse> persist 
table <http_abuse> persist 
table <whitelist> persist file "/etc/pf_whitelist"
table <blacklist> persist file "/etc/pf_blacklist"

 
# On bloque ceux qui sont dans la table sur les ports concernés 
# Le 'quick' permet d'ignorer toute autre rêgle de filtrage 
# concernant ces paquets 

#on laisse passer immediatement les IP whitelistées
pass in quick on $ext_if from <whitelist>
#on bloque passer immediatement les IP blacklistées
block in quick log on $ext_if from <blacklist>
#block in quick on $ext_if proto tcp from <ssh_abuse> to $ext_if port 22 
block in quick log on $ext_if proto tcp from <http_abuse> to $ext_if port 80 

#si on veux tout bloquer sur les IP brute force
block quick from <http_abuse>
block quick to   <http_abuse>


# si on a plus de 2 connection toutes les 10 secondes sur 
# le port ssh, on rajoute l'IP concernée dans la table ssh_abuse 
#pass in inet proto tcp to any port 22 flags S/SA keep state (max-src-conn-rate 2/10, overload <ssh_abuse> flush global) 
# Si on a plus de 100 connection HANDSHAKE avec cet IP ou plus de 20 connexion 
# en 5 secondes, alors on met l'IP concernée dans la table http_abuse 
pass in inet proto tcp to $ext_if port 80 flags S/SA keep state (max-src-conn 100, max-src-conn-rate 20/5, overload <http_abuse> flush)

This is my /etc/rc.conf file:

pf_enable="YES"
pf_rules="/etc/pf_in_out.conf"         # rules definition file for pf
pf_flags=""                     # additional flags for pfctl startup
pflog_enable="YES"              # start pflogd(8)
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""

PF is actived. PFTOP show connections. But, after some ssh command, PF blocks all connections. I look at the log with:
[cmd=]tcpdump -n -e -ttt -r /var/log/pflog[/cmd]
and
[cmd=]tcpdump -vv -s 256 -n -e -ttt -i pflog0[/cmd]

There is nothing in this log and nothing in table <http_abuse>, nothing in /var/log/messages.

Does this behaviour seem correct? Does anyone have a problem like this? Could you help me find my mistake?

Have a nice day.

 

[fullauto]

I am by FAR not an expert on PF, But from what I see:

pass in inet proto tcp to any port 22 flags S/SA keep state (max-src-conn-rate 2/10, overload <ssh_abuse> flush global)

You have no number of simultanuous connections defined: max-src-conn <-- could be the problem and your connection rate (max-src-conn-rate 2/10) is only 2 connections for 10 minutes.

I would definately start by upping the rate a bit, and seeing if it stops the problem.

Like I said, certainly NOT an expert. But, I have been struggling with this stuff myself, so I know how frustrating it can be to post and wait what seems to be endless days for a response that might not come. So I figured I would throw in.

 

[fullauto]

pass in inet proto tcp to any port 22 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 10/10, overload <ssh_abuse> flush global)

I might start with that, and see if the problem persists. Let me know if I can help anymore.

 

[nORKy]

You can install security/sshguard

 

[Lames]

Thanks a lot,

I had forgotten this part of configuration. fullauto has found my mistake, thanks. I'm looking for sshguard in order to prevent this problem. I don't now where I could close this ticket.

Have a nice day.

 

[fullauto]

No problem!