Solved IPTables rules conversions into PF rules

M

Mayhem30

I'm reading through a SSH hardening guide, and one of their suggestions is that connection rate throttling is needed in order to protect against the DHEat denial-of-service attack.

However, they only give iptables examples. Can anyone convert these to PF for me?

Code: 
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
ip6tables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
 
ssh-audit shows:

Potentially insufficient connection throttling detected, resulting in possible vulnerability to the DHEat DoS attack (CVE-2002-20001). 38 connections were created in 0.151 seconds, or 251.9 conns/sec; server must respond with a rate less than 20.0 conns/sec per IPv4/IPv6 source address to be considered safe.
 

pf.conf(5)

man.freebsd.org man.freebsd.org

Code: 
max-src-conn-rate <number> / <seconds>
         Limit the rate of new connections over a time interval.  The con-
         nection rate is an    approximation calculated as a moving average.

       Because    the 3-way handshake ensures that the source address is not be-
       ing spoofed, more aggressive action can be taken    based on these limits.
       With the    overload <table> state option, source IP addresses  which  hit
       either  of  the    limits on established connections will be added    to the
       named table.  This table    can be used in the ruleset  to    block  further
       activity     from  the offending host, redirect it to a tarpit process, or
       restrict    its bandwidth.

       The optional flush keyword kills    all states  created  by     the  matching
       rule  which  originate  from  the host which exceeds these limits.  The
       global modifier to the flush command kills all states originating  from
       the offending host, regardless of which rule created the    state.

       For  example,  the  following  rules will protect the webserver against
       hosts making more than 100 connections in 10 seconds.  Any  host     which
       connects     faster     than  this  rate  will     have its address added    to the
       <bad_hosts> table and have all states originating from it flushed.  Any
       new packets arriving from this host will    be dropped unconditionally  by
       the block rule.

         block quick from <bad_hosts>
         pass in on    $ext_if    proto tcp to $webserver    port www keep state \
             (max-src-conn-rate    100/10,    overload <bad_hosts> flush global)

You may want to adjust the conn-rate and max-src-conn to avoid blocking yourself. Also good idea is not to use the default port 22 you can change it to something else like 2222 in your sshd_config. This will avoid many bot scan attempts and if you are still using password auth it's better to switch to certificate(key).
table <bad_hosts> persist
block quick from <bad_hosts>
pass in on $ext_if proto tcp to port { 22 } \
keep state (max-src-conn 1, max-src-conn-rate 1/10, \
overload <bad_hosts> flush global)
Click to expand...

How To Configure Packet Filter (PF) on FreeBSD 12.1 | DigitalOcean

PF is a renown firewall application that is maintained upstream by the security-driven OpenBSD project. It is more accurately expressed as a packet filtering…
www.digitalocean.com www.digitalocean.com
 
You must log in or register to reply here.
Back
Top