[RESOLVED] restrict ssh acces via IP pf config

fred974

fred974

Hello everyone,

I just realized that my pf firewall rules are not actually doing what I thought they did.
My plan was to only allow ssh() access to the server only if the host IP address are 213.146.159.xxx, 82.31.44.xxx or 193.128.224.xx.
When playing with juicessh (Android app) I realized that I was allowed in the Server. This should not happen as my phone Random IP (not over wifi) is not set in the rules.

Could anyone help me to figure out where i went wrong please?

Thank you very much :)

Here is my pf.conf file:
Code: 
ext_if="bge0"

IP_FREEBSD_HOST="192.168.0.xxx"
IP_WEB="192.168.0.xxx"
SSH_HOSTS= "{" $IP_FREEBSD_HOST $IP_WEB "}"
ICMP_TYPES="{echoreq,unreach}"

PORT_WEB="{80,443}"
PORT_SSH="{22,1413}"
PORT_ZABBIX="{10059}"

table <fail2ban> counters persist file "/var/db/pf/bf.table"
table <workssh> { 213.146.159.xxx,82.31.44.xxx,193.128.224.xx }

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [translation]

# [filtering]
pass out all
block in all
#block all IPs from the fail2ban blocklist without any further evaluation
block in quick on $ext_if from <fail2ban> to any

#pass in quick proto tcp from any to $IP_FREEBSD_HOST port $PORT_SSH
# Allow ssh traffic from authorise hosts with synproxy handshaking
pass in quick proto tcp from <workssh> to $SSH_HOSTS port $PORT_SSH flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <fail2ban> flush)

pass in quick proto tcp from any to $IP_WEB port $PORT_WEB
pass in quick proto {tcp,udp} from any to $IP_FREEBSD_HOST port $PORT_ZABBIX
pass inet proto icmp all icmp-type $ICMP_TYPES keep state
# add IPs used for brute force attacks to table fail2ban, flush
pass in on $ext_if proto tcp from any to any port $PORT_SSH flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <fail2ban> flush global)
 
Re: restrict ssh acces via IP pf config

fred974 said:
Code: 
pass in on $ext_if proto tcp from any to any port $PORT_SSH flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <fail2ban> flush global)
Click to expand...
This line allows anyone in.
 
Re: restrict ssh acces via IP pf config

Hi @SirDice,

If I remove that line, how can I send all the IPs used for brute force attacks to the fail2ban table ?

Thank you
 
Last edited by a moderator:
Re: restrict ssh acces via IP pf config

I removed the line bellow and I was still able to connect via my phone :(
Code: 
pass in on $ext_if proto tcp from any to any port $PORT_SSH flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <fail2ban> flush global)
 
Re: restrict ssh acces via IP pf config

fred974 said:
I removed the line bellow and I was still able to connect via my phone :(
Click to expand...
Did you reload the configuration?

pfctl -f /etc/pf.conf
 
Re: restrict ssh acces via IP pf config

service pf reload is the same thing but may be easier to remember.
 
Re: restrict ssh acces via IP pf config

SirDice said:
fred974 said:
I removed the line bellow and I was still able to connect via my phone :(
Click to expand...
Did you reload the configuration?

pfctl -f /etc/pf.conf
Click to expand...

No I didn't , I rebooted the server instead.
I ran the command pfctl -f /etc/pf.conf and I got the following
Code: 
root@FREEBSDHOST:~ # pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: DIOCADDRULE: Operation not supported by device

My understanding of that error message is that the binaries I am using are out of sync with the kernel... Is that correct?
How can I fix that?

Code: 
root@FREEBSDHOST:~ # pfctl -si
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 0 days 00:00:15           Debug: Urgent

State Table                          Total             Rate
  current entries                        0
  searches                           58932         3928.8/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                              58932         3928.8/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
root@kryten:~ #
I assume from the output above that pf is running..?
 
Re: restrict ssh acces via IP pf config

fred974 said:
If I remove that line, how can I send all the IPs used for brute force attacks to the fail2ban table ?
Click to expand...
There won't be any because you limited access to the SSH port. Nobody can run a brute-force attack against your SSH if they can't connect.

Only the IP addresses you allowed could, potentially, brute-force their way in. If you want to keep fail2ban you need to add it to the line that does allow access.
 
Re: restrict ssh acces via IP pf config

SirDice said:
fred974 said:
If I remove that line, how can I send all the IPs used for brute force attacks to the fail2ban table ?
Click to expand...
There won't be any because you limited access to the SSH port. Nobody can run a brute-force attack against your SSH if they can't connect.

Only the IP addresses you allowed could, potentially, brute-force their way in. If you want to keep fail2ban you need to add it to the line that does allow access.
Click to expand...

Ok I understand this point. but even by removin that line any one from any IP can still connect to the box..
Is there anything else that I missed?
Is the error message the cause of my problem?
 
Re: restrict ssh acces via IP pf config

Hi guys,

I still haven't manged to sort my problem with pf.conf
My curent setup is
pf.conf
Code: 
ext_if="bge0"

IP_FREEBSD_HOST="192.168.0.xxx"
IP_WEB="192.168.0.xxx"
SSH_HOSTS= "{" $IP_FREEBSD_HOST $IP_WEB "}"
ICMP_TYPES="{echoreq,unreach}"

PORT_WEB="{80,443}"
PORT_SSH="{22,1413}"
PORT_ZABBIX="{10059}"

table <fail2ban> counters persist file "/var/db/pf/bf.table"
table <workssh> { 213.146.159.xxx,82.31.44.xxx,193.128.224.xx }

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [translation]

# [filtering]
pass out all
block in all
#block all IPs from the fail2ban blocklist without any further evaluation
block in quick on $ext_if from <fail2ban> to any

#pass in quick proto tcp from any to $IP_FREEBSD_HOST port $PORT_SSH
# Allow ssh traffic from authorise hosts with synproxy handshaking
pass in quick proto tcp from <workssh> to $SSH_HOSTS port $PORT_SSH flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <fail2ban> flush)

pass in quick proto tcp from any to $IP_WEB port $PORT_WEB
pass in quick proto {tcp,udp} from any to $IP_FREEBSD_HOST port $PORT_ZABBIX
pass inet proto icmp all icmp-type $ICMP_TYPES keep state

All I want to do is to limit access to the IP address from the <workssh> table

Thank you
 
You must log in or register to reply here.
Back
Top