PF Permanent ban bruteforce how does really work ?

Hello guys,
I have a rules like below:
Code:
 stossh   ="(max 5, source-track rule, max-src-states 5, max-src-nodes 5, max-src-conn-rate 4/100, overload <bruteforce> flush global)"
Table:
Code:
 table <bruteforce> counters persist file "/etc/bruteforce"
And block rules:
Code:
block drop in log quick on $ext_if from <bruteforce>
block drop out log quick on $ext_if from <bruteforce>
I want to ask why when i use those rules i have never got an entry in /etc/bruteforce and have never shown in table pfct -T show -t bruteforce. When im using temporary rule <bruteforce> until restart pf etc ... it works great, what about permanent. How does or should really work ? What am i doing wrong ?
 
PF doesn't dump tables back to files. You have to run a cronjob to specifically do this:
Code:
pfctl -t bruteforce -Ts > /etc/bruteforce

But don't forget to expire old entries to prevent the file from endlessly growing.

I'd suggest you have a look at sshguard, which can - despite its name - monitor other services as well, hooks into PF and handles all the gritty details for you. You can still use your own overload rules to propagate tables used by sshguard and leave the dumping/cleanup of the tables to sshguard.

edit:
corrected syntax of the pfctl command
 
PF doesn't dump tables back to files. You have to run a cronjob to specifically do this:
Code:
pfctl -t bruteforce -Ts /etc/bruteforce

But don't forget to expire old entries to prevent the file from endlessly growing.

I'd suggest you have a look at sshguard, which can - despite its name - monitor other services as well, hooks into PF and handles all the gritty details for you. You can still use your own overload rules to propagate tables used by sshguard and leave the dumping/cleanup of the tables to sshguard.

Then, i will try sshguard.
But one thing more:
Code:
root@HardenedBSD:/home/bryn1u # pfctl -t bruteforce -Ts /etc/bruteforce
usage: pfctl [-AdeghmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]
   [-f file] [-i interface] [-K host | network]
   [-k host | network | label | id] [-o level] [-p device]
   [-s modifier] [-t table -T command [address ...]] [-x level]
 
If you want to see the contents of /etc/bruteforce just cat /etc/bruteforce. It's just a text file. But as sko already noted, this file is only read during loading of the rules. Nothing is ever written to it by PF.

The command sko shows is missing a redirect, it should be:
Code:
pfctl -t bruteforce -Ts  [b]>[/b] /etc/bruteforce
 
As SirDice pointed out I missed the redirect. Sorry about that, I just updated my post.

getopt: I think the -f option is only for reading from a file, not to output to it. So with pfctl -t <table> -Ta -f <filename> you will append the file contents to an existing table in memory.
 
Back
Top