Is this a good setup?

H

henrixd

Hi

Can you tell me your opinion? Something good? Or bad? Too much? Did I miss something? Something doesn't make sense? I'm not having my best week.

pf.conf
Code: 
set block-policy drop
set skip on lo0

## packet normalization
scrub     on $ext_if all reassemble tcp
scrub in  on $ext_if all fragment drop-ovl
scrub out on $ext_if all random-id fragment reassemble

## abusive hosts
table <abusive> persist file "/var/db/pf/abusive"

## redirect spamd hosts
table <spamd> persist
rdr pass inet proto tcp from <spamd> port 1024:65535 to ($ext_if:0) \
        port smtp -> 127.0.0.1 port spamd

## default block
block in log
block out log

## block abusive hosts
block in quick from <abusive>

## no spoofed adresses
antispoof quick for { lo0, $ext_if }

## public services
pass in on $ext_if inet proto tcp from any port 1024:65535 \
        to ($ext_if:0) port { 25, 80, 443 } flags S/SA synproxy state \
 (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive> flush global)

## sshd
pass in on $ext_if inet proto tcp from any port 1024:65535 \
        to ($ext_if:0) port 22 flags S/SA synproxy state \
 (max-src-conn 15, max-src-conn-rate 5/3, overload <abusive> flush global)

## allow ping in / out
pass in inet proto icmp all icmp-type echoreq
pass out inet proto icmp all icmp-type echoreq

# allow dns queries
pass out on $ext_if inet proto udp from ($ext_if:0) port 1024:65535 \
        to any port 53 keep state

# smtp
pass out on $ext_if inet proto tcp from ($ext_if:0) port 1024:65535 \
        to any port 25 flags S/SA keep state

# let spamd-setup update blacklist
pass out on $ext_if inet proto tcp from ($ext_if:0) port 1024:65535 \
        to any port { spamd, spamd-cfg, spamd-sync } flags S/SA keep state

# dyndns
pass out on $ext_if inet proto tcp from ($ext_if:0) port 1024:65535 \
        to xxx.xxx.xxx.xxx port 80 flags S/SA keep state

root crontab
  • check ssh violations from auth.log
  • keep copy of abusive table on disk for reboots
  • records in abusive table expire in 24h
Code: 
*/5     *       *       *       *       /root/bin/ssh_violations.sh
*/5     *       *       *       *       /sbin/pfctl -t abusive -Ts > /var/db/pf/abusive
@reboot /sbin/pfctl -t abusive -Te 86400

ssh_violations.sh
  • 3 invalid user errors in auth log and you are in abusive hosts table
  • max-src-conn-rate will catch most of the scans, but this is just backup (I hate them)
Code: 
cat /var/log/auth.log | egrep 'Invalid user [A-z0-9\-\_]+ from [0-9\.]+$' | awk '{print $10}' | uniq -c | \
( while read num ip; do
                if [ ${num} -gt 3 ]; then
                        pfctl -t abusive -T add ${ip} > /dev/null 2>&1
                fi
        done
)
 
henrixd said:
Code: 
# allow dns queries
pass out on $ext_if inet proto udp from ($ext_if:0) port 1024:65535 \
        to any port 53 keep state
Click to expand...
You also need to allow TCP/53. Not all queries are done using UDP, if the query doesn't fit it'll use TCP. Which would currently fail.

Instead of using your own ssh_violations.sh script I highly recommend security/sshguard-pf.
 
You also need to allow TCP/53. Not all queries are done using UDP, if the query doesn't fit it'll use TCP. Which would currently fail.
Click to expand...

Thank you! This is exactly what I was looking for.

Instead of using your own ssh_violations.sh script I highly recommend security/sshguard-pf.
Click to expand...

This too, I'm actually positively surprised how well it works.

Back to bombing my server with hydra.
 
You must log in or register to reply here.
Back
Top