Solved [SOLVED] pf table - can I view them?

Hi guys,

I have a bit of a 'noob' question. I have the following entry in my /etc/pf.conf file:
Code:
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)

My question is: is that table stored in memory or does a file get created? Can I see what ssh_abuse contains?
 
Re: pf table - can I view them?

fred974 said:
Hi guys,
I have a bit of 'nob' question...
I have the following entry in my /etc/pf.conf file:
Code:
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)

My question is: is that table stored in memory or does a file get created?
Can I see what 'ssh_abuse' contain?

Use pfctl -t ssh_abuse -Ts to view the table. You can use the -v switch for more verbose statistics (e.g. pfctl -t ssh_abuse -vTs).

And change your /etc/pf.conf entry from:
Code:
table <ssh_abuse> persist

to:
Code:
table <ssh_abuse> counters persist file "/var/db/pf/ssh_abuse.table"

to write your table to file.

You can make a cronjob to write the table to file every x minutes and restore the file at boot. See this.
 
Re: pf table - can I view them?

Thank you @nanotek :) That link is what I needed. So do you think I still need the rule mentioned above if I use fail2ban as per the post?
 
Last edited by a moderator:
Re: pf table - can I view them?

fred974 said:
Thank you @nanotek :) That link is what I needed. So do you think I still need the rule mentioned above if I use fail2ban as per the post?
For what it is worth, I would not worry about writing the table to a file. Even if the IP addresses that get put into the block table are not random, meh. The goal here is to identify an SSH threat and block it which is accomplished by max-src-conn-rate. It is a simple and elegant solution all built into pf! :D

From my point of view I don't know why you would want to switch to something else. However, I would recommend dropping the max-src-conn and concentrating on tuning the max-src-conn-rate based upon what is showing up in your auth.log file. Currently I am running a 2/120 and for me it seems to be a sweet spot.
 
Last edited by a moderator:
Re: pf table - can I view them?

fred974 said:
Thank you @nanotek :) That link is what I needed. So do you think I still need the rule mentioned above if I use fail2ban as per the post?

No, you can remove it. Use either one or the other. Personally, I find security/py-fail2ban more convenient.
 
Last edited by a moderator:
Re: pf table - can I view them?

nanotek said:
fred974 said:
Thank you @nanotek :) That link is what I needed. So do you think I still need the rule mentioned above if I use fail2ban as per the post?

No, you can remove it. Use either one or the other. Personally, I find security/py-fail2ban more convenient.

Ok, When I only use fail2ban, I am no longer able to SSH to the box :( Any chance you could show me your /etc/pf.conf as an example?
 
Last edited by a moderator:
Re: pf table - can I view them?

Sure.

Code:
ext_if="rl0"
table <fail2ban> file "/var/db/pf/fail2ban.table" counters persist

set skip on lo0
antispoof for $ext_if inet

block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in log quick on $ext_if from <fail2ban> to any

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

Show me your /etc/pf.conf, sshd_config, jail.local and action.d/pf.conf.

Fail2Ban shouldn't block IPs indiscriminately.
 
Re: pf table - can I view them?

@nanotek, thank you for your help on that one :)

Just to add: I was on my LAN when doing the tests: 192.168.0.xx. Looking back at my /etc/pf.conffile, I think that I might have duplicated some rules. I'm not sure tough.

root@FreeBSD:~ # vi /etc/pf.conf
Code:
### macro name for external interface.
ext_if = "bge0"
int_if = "lo1"
hostaddr = "192.168.0.155"

### jail IPs
webjail   ="192.168.0.85"
sqljail   ="192.168.0.90"
mailjail ="192.168.0.97"

### jail Ports
webports ="{ http,https }"
sqlports ="{3306}"
mailports ="{25}"
bfports = "{ 22 }" # SSH brute force prevention

### all incoming traffic on external interface is normalized and fragmented
scrub in on $ext_if all fragment reassemble

### nat all jail traffis
nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)

### Translation
rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webjail
rdr on $ext_if proto tcp from any to $ext_if port $sqlports -> $sqljail
rdr on $ext_if proto tcp from any to $ext_if port $mailports -> $mailjail

### set a default deny everything policy.
block all

### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, 
set skip on lo0
antispoof for $ext_if inet

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check. 
block in from urpf-failed to any

### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### block probes that can possibly determine operating system
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

### keep state on any outbound tcp, udp or icmp traffic. 
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### open ports for OpenNTPD service
# Ipv4 Open outgoing port TCP 123 (NTP)
pass out on $ext_if proto tcp to any port ntp
# Ipv4 Open outgoing port UDP 123 (NTP)
pass out on $ext_if proto udp to any port ntp

### set a rule that allows inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state

### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

### setup a table and ruleset that prevents excessive abuse by hosts
### any host that hammers more than 3 connections in 5 seconds gets
table <ssh_abuse> counters persist file "/var/db/pf/sshabuse.table"
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)

### setup a table and ruleset that prevents excessive abuse by hosts
#table <fail2ban> counters persist file "/var/db/pf/bf.table"
#block in quick on $ext_if from <fail2ban> to any
root@FreeBSD:~ # vi /etc/ssh/sshd_config
Code:
ListenAddress 192.168.0.155
LoginGraceTime 30s
PermitRootLogin no
PermitEmptyPasswords no
ClientAliveInterval 600
ClientAliveCountMax 0
Subsystem       sftp    /usr/libexec/sftp-server
AllowUsers sysadmin
AllowGroups sysadmin wheel
root@FreeBSD:~ # vi /usr/local/etc/fail2ban/jail.local
Code:
[DEFAULT]
backend         = auto
bantime         = -1  ; permanent ban
findtime        = 604800  ; 1 week aggregation
maxretry        = 5
destemail       = webadmin@yourdomain.com
ignoreip        = 127.0.0.1/8 192.168.0.0/16 213.146.159.254/24
logtargets      = /var/log/fail2ban.log

[ssh-pf]
enabled         = true
filter          = sshd
action          = pf
logpath         = /var/log/auth.log
maxretry        = 5

[ssh-ddos]
enabled         = true
filter          = sshd-ddos
action          = pf
logpath         = /var/log/auth.log
maxretry        = 3
root@FreeBSD:~ # vi /usr/local/etc/fail2ban/action.d/pf.conf
Code:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32

[Init]
tablename = fail2ban
port         = ssh
localhost    = 127.0.0.1
 
Last edited by a moderator:
Re: pf table - can I view them?

fred974 said:
@nanotek, thank you for your help on that one :)
Just to add.. I was on my LAN when doing the tests...192.168.0.xx

Did you use your local or external IP? If on your LAN, try ssh user@hostname (e.g. if your FreeBSD box hostname is server: ssh user@server) instead of the external IP.

fred974 said:
Looking back at my /etc/pf.conffile, I think that i might have duplicated some rules.. not sure tough.

root@FreeBSD:~ # vi /etc/pf.conf
Code:
### macro name for external interface.
ext_if = "bge0"
int_if = "lo1"
hostaddr = "192.168.0.155"

### jail IPs
webjail   ="192.168.0.85"
sqljail   ="192.168.0.90"
mailjail ="192.168.0.97"

### jail Ports
webports ="{ http,https }"
sqlports ="{3306}"
mailports ="{25}"
bfports = "{ 22 }" # SSH brute force prevention

### all incoming traffic on external interface is normalized and fragmented
scrub in on $ext_if all fragment reassemble

### nat all jail traffis
nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)

If your jails are on the same device and subnet as your host and LAN, I don't think you need NAT here. Can your jails access the net without it? Are you port-forwarding at your router too?

fred974 said:
Code:
### Translation
rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webjail
rdr on $ext_if proto tcp from any to $ext_if port $sqlports -> $sqljail
rdr on $ext_if proto tcp from any to $ext_if port $mailports -> $mailjail

### set a default deny everything policy.
block all

With a block all directive, you don't need the rest of the block rules.

fred974 said:
Code:
### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, 
set skip on lo0
antispoof for $ext_if inet

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check. 
block in from urpf-failed to any

### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### block probes that can possibly determine operating system
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

### keep state on any outbound tcp, udp or icmp traffic. 
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### open ports for OpenNTPD service
# Ipv4 Open outgoing port TCP 123 (NTP)
pass out on $ext_if proto tcp to any port ntp
# Ipv4 Open outgoing port UDP 123 (NTP)
pass out on $ext_if proto udp to any port ntp

### set a rule that allows inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state

### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

### setup a table and ruleset that prevents excessive abuse by hosts
### any host that hammers more than 3 connections in 5 seconds gets
table <ssh_abuse> counters persist file "/var/db/pf/sshabuse.table"
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)

### setup a table and ruleset that prevents excessive abuse by hosts
#table <fail2ban> counters persist file "/var/db/pf/bf.table"
#block in quick on $ext_if from <fail2ban> to any

So, as soon as you comment out the above max-src-conn* rule and uncomment the block in [...] <fail2ban> rule and reload /etc/pf.conf you can no longer ssh? That's strange. As you can see, the latter only blocks <fail2ban> entries, which would only be added to the table after 5 unauthorized access attempts (according to your jail.local settings).

fred974 said:
root@FreeBSD:~ # vi /etc/ssh/sshd_config
Code:
ListenAddress 192.168.0.155
LoginGraceTime 30s
PermitRootLogin no
PermitEmptyPasswords no
ClientAliveInterval 600
ClientAliveCountMax 0
Subsystem       sftp    /usr/libexec/sftp-server
AllowUsers sysadmin
AllowGroups sysadmin wheel

Looks fine.

fred974 said:
root@FreeBSD:~ # vi /usr/local/etc/fail2ban/jail.local
Code:
[DEFAULT]
backend         = auto
bantime         = -1  ; permanent ban
findtime        = 604800  ; 1 week aggregation
maxretry        = 5
destemail       = webadmin@yourdomain.com
ignoreip        = 127.0.0.1/8 192.168.0.0/16 213.146.159.254/24
logtargets      = /var/log/fail2ban.log

[ssh-pf]
enabled         = true
filter          = sshd
action          = pf
logpath         = /var/log/auth.log
maxretry        = 5

[ssh-ddos]
enabled         = true
filter          = sshd-ddos
action          = pf
logpath         = /var/log/auth.log
maxretry        = 3

Looks fine.

fred974 said:
root@FreeBSD:~ # vi /usr/local/etc/fail2ban/action.d/pf.conf
Code:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32

[Init]
tablename = fail2ban
port         = ssh
localhost    = 127.0.0.1

Either remove the block all or the remaining block directives, flush the rules and table and reload the new ruleset with pfctl -F all -f /etc/pf.conf and try to ssh as said above.

Your setup appears similar to mine:

# ifconfig
Code:
ath0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 2290
        ether 00:16:e3:14:8f:33
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
        status: no carrier
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=2008<VLAN_MTU,WOL_MAGIC>
        ether 00:a0:d1:38:e6:f5
        inet 10.0.0.48 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::2a0:d1ff:fe38:e6f5%rl0 prefixlen 64 scopeid 0x2
        inet 10.0.0.110 netmask 0xffffffff broadcast 10.0.0.255
        inet 10.0.0.120 netmask 0xffffffff broadcast 10.0.0.255
        inet 10.0.0.100 netmask 0xffffffff broadcast 10.0.0.255
        inet 10.0.0.130 netmask 0xffffffff broadcast 10.0.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33184

# cat /etc/pf.conf
Code:
ext_if="rl0"
table <fail2ban> file "/var/db/pf/fail2ban.table" counters persist

set skip on lo0
antispoof for $ext_if inet

block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in log quick on $ext_if from <fail2ban> to any

pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

# cat /usr/local/etc/fail2ban/jail.local
Code:
[DEFAULT]
backend         = auto
bantime         = -1
findtime        = 604800
maxretry        = 5
destemail       = admin@ecbb.org
ignoreip        = 127.0.0.1 10.0.0.0/24 127.0.0.0/8
logtargets      = /var/log/fail2ban.log

[ssh-pf]
enabled         = true
filter          = sshd
action          = pf
logpath         = /var/log/auth.log
maxretry        = 5

[ssh-ddos]
enabled         = true
filter          = sshd-ddos
action          = pf
logpath         = /var/log/auth.log
maxretry        = 3

# cat /usr/local/etc/fail2ban/action.d/pf.conf
Code:
[Definition]
actionstart =
actionstop =
actioncheck =

actionban = /sbin/pfctl -t <tablename> -T add <ip>/32
actionunban = /sbin/pfctl -t <tablename> -T delete <ip>/32

[Init]
tablename = fail2ban

# cat /etc/ssh/sshd_config
Code:
AllowUsers detach ghost
PermitRootLogin no
StrictModes yes
MaxAuthTries 2
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
Subsystem       sftp    /usr/libexec/sftp-server

And mine works, but I can't see why yours doesn't.
 
Last edited by a moderator:
Re: pf table - can I view them?

Hi,

I was at home. SSHing in using my external IP as ssh user@hostname doesn't work at all.
  • ssh user@hostname - Not Working.
  • ssh user@192.168.0.x - /no =t Not working.
  • ssh user@externalIP - All good.
My router is forwarding all port 22 to host IP. This actually bring another issue: pinging the host name from the LAN doesn't work either, but I think this could be because I am using PuTTY on a wireless connection.
 
Re: pf table - can I view them?

With
Code:
block in quick on $ext_if from <fail2ban> to any
you can only SSH to your external IP. With
Code:
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
you can SSH to the external and local IP?

Try adding:
Code:
pass in on $ext_if proto tcp to any port ssh

to /etc/pf.conf with the Fail2Ban directive.

It shouldn't be necessary because you already have an SSH pass rule but try it anyway.
 
Re: pf table - can I view them?

Hi @nanotek

I'll try to fiddle with my pf.conf file at a later date and get back to you:)

Work has gone a bit mad..
 
Last edited by a moderator:
Re: pf table - can I view them?

Hi @nanotek,

Found my problem..
My IP ended up in the ban table somehow.. removed it and now all working fine:)
 
Last edited by a moderator:
Back
Top