Solved Populating tables with PF

[mefizto]

Greetings all,

I have have had my pf fire-walled FreeBSD laptop on the Internet for a few minutes and I am already seeing attempts to guess a combination of user name and password at the ssh port.

As a first defense, I have turned off the ssh daemon in /etc/rc.conf, but it is only a short-term solution. By doing some research I have found a general approach to build a table of such "brute-forces":

table <brute-force> persist

and then use the entries to block them, e.g.,

block in log quick on $ext_if proto tcp from <brute-force> to any

However, I cannot find any reference describing how to build the table, so any help would be appreciated.

The second question is, how does one prevent adding oneself to the table by miss-typing user name and/or password.

Kindest regards,

M

 

[SirDice]

Configure blacklistd(8) (available on 11.0 or higher) or install something like security/sshguard. You don't want to re-invent the wheel

However, I cannot find any reference describing how to build the table, so any help would be appreciated.

See pfctl(8).

     -T command [address ...]
             Specify the command (may be abbreviated) to apply to the table.
             Commands include:

             -T kill       Kill a table.
             -T flush      Flush all addresses of a table.
             -T add        Add one or more addresses in a table.
                           Automatically create a nonexisting table.
             -T delete     Delete one or more addresses from a table.
             -T expire number
                           Delete addresses which had their statistics cleared
                           more than number seconds ago.  For entries which
                           have never had their statistics cleared, number
                           refers to the time they were added to the table.
             -T replace    Replace the addresses of the table.  Automatically
                           create a nonexisting table.
             -T show       Show the content (addresses) of a table.
             -T test       Test if the given addresses match a table.
             -T zero       Clear all the statistics of a table.
             -T load       Load only the table definitions from pf.conf(5).
                           This is used in conjunction with the -f flag, as
                           in:

                                 # pfctl -Tl -f pf.conf

Short version; pfctl -t brute-force -T add 1.2.3.4

 

[mefizto]

Hi SirDice,

thank you for the reply. Sorry for the in-artful question language; I meant to ask how to built the table automatically, not by hand. I will look at both the security/sshguard and the blacklist(8).

Hi Wozzeck.Live,

thank you for your points two and three. Regarding the inetd(8), as I understand it, inetd(8) is a daemon process that controls other services. In other words, it may be the only daemon started by /etc/rc.conf, listening on all service ports for the services listed in its configuration file. When a request for the service comes in, inetd(8) starts the appropriate server.

Now, as much as I like the idea, what happens if the inetd(8) daemon dies and I have no access to machine? I might have overlooked it, but do not see any ability to self-restart. Any idea?

Kindest regards,

M

 

[SirDice]

thank you for the reply. Sorry for the in-artful question language; I meant to ask how to built the table automatically, not by hand. I will look at both the security/sshguard and the blacklist(8).

SSHGuard uses its own table; sshguard. And blacklistd(8) does things differently by using anchors. The end result is the same though.