PF tables - WRITE!

Seeker · Nov 3, 2009

In /etc/pf.conf

Code:

table <ssh_bruteforcers> persist file "/var/db/pf/ssh_bruteforcers"

# SSH rules
pass in log inet proto tcp from any to ($ext_if) port 22 keep state (max-src-conn 5, max-src-conn-rate 20/60, overload <ssh_bruteforcers> flush global)
block from <ssh_bruteforcers>

So, pf WILL read from /var/db/pf/ssh_bruteforcers, but WILL NOT write new infidels to /var/db/pf/ssh_bruteforcers, but keep them in memory instead, which gets emptied after reebot, which WOULD NOT happen if pf WOULD write new infidels to /var/db/pf/ssh_bruteforcers, which it DOESN'T.

Fix?

DutchDaemon · Nov 3, 2009

Don't use a file-based table for data you need to change/add to

Use a memory-based table (table <ssh_bruteforcers> persist), use cron to dump the contents to a file on disk every 5 minutes (1), and read from that file after a reboot (2), using the @reboot time in cron. Don't forget to expire stale data from the table as well, unless you want the table to keep growing indefinitely.

(1)

Code:

/sbin/pfctl -t ssh_bruteforcers -Ts > /some/dir/ssh_bruteforcers.table

(2)

Code:

/sbin/pfctl -t ssh_bruteforcers -Tr -f /some/dir/ssh_bruteforcers.table

(3)
install security/expiretable, run from cron every hour/day, whatever.

Code:

/usr/local/sbin/expiretable -t 1d ssh_bruteforcers

1d = 1 day, 8h = 8 hours, you get it.

I'll leave the scripting up to you

Seeker · Nov 4, 2009

Excellent!

But why should I install security/expiretable, IF I can use:

Code:

/sbin/pfctl -t ssh_bruteforcers -Te 86400

to get rid of entries old 24 hours?

DutchDaemon · Nov 4, 2009

I believe they are not exactly the same (the 'cleared statistics' bit in pfctl's manual), and I wanted to make sure that IPs were removed from the table a fixed time after their being added, no matter what. They may be functionally the same, I don't really know.

Seeker · Nov 4, 2009

Or pfctl -Te flag did not existed before and someone was unpatient and created it's own app., to expire tables, then PF got that expire ability in pfctl, additionally

DutchDaemon · Nov 4, 2009

Yeah, I just read the expiretable's manual, and it has the exact same line

The age in question being the amount of time that has passed since the statistics for the respective entry in the target table was last cleared.

pfctl:

Delete addresses which had their statistics cleared more than number seconds ago.

So -Te should be just fine, although it can only handle seconds instead of a nice -s / -m / -h / -d option.

Seeker · Nov 4, 2009

True!

So, I use 86400, for 24 hour ban

Thanks!

PF tables - WRITE!

Seeker

DutchDaemon

Administrator

Seeker

DutchDaemon

Administrator

Seeker

DutchDaemon

Administrator

Seeker