|
»
something like bruteblock for pf?
|
View:
New views
14 Messages
—
Rating Filter:
Alert me
|
 |
something like bruteblock for pf?
by Len Conrad
::
Rate this Message:
I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day. But bruteblock, which hasn't moved in 3 years, logged a lot of errors like "failed to <ip> ..." which didn't seem to bother its effectiveness, but was concerning, and ugly. Anybody know of anything similar for pf? thanks Len _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by Igor Mozolevsky-3
::
Rate this Message:
2009/8/23 Len Conrad <LConrad@...>:
> > I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day. [snip] > Anybody know of anything similar for pf? http://www.bgnett.no/~peter/pf/en/spamd.setup.html Cheers, -- Igor _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
|
|
|
Re: something like bruteblock for pf?
by Peter Maxwell-3
::
Rate this Message:
2009/8/23 Len Conrad <LConrad@...>:
> > I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved. > Are you sure you really need this in the first place? Others may disagree, but the way I see it is pf is a packet filter, your MTA should be dealing with SMTP "attacks". Nonetheless, it's probably fairly trivial to do something like you are requesting. Create your pf ruleset with table(s) and corresponding drop rules. You can then create a simple cron script that parses the logs from your sshd, ftpd, etc and uses pfctl to replace the appropriate table with offending IPs or address ranges. You would probably have to manage timeouts in your scripts as well though. Please note that - in most situations at least - allowing applications in userland to modify firewall rules is a particularly bad idea, for obvious reasons. Good firewall practice would suggest that the box doing packet filtering does that and only that, with all external services placed in a DMZ; if an attacker then comprimises one of your services then they cannot mess about with the firewall rules, or much else for that matter. Before implementing something like this, I would urge caution: if what you're asking was actually of any use, someone else would probably have done it properly. I can't imagine how log entries from an ftp server, say, are going to be related to your smtp server security? If it's a simple connection management, then max-src-conn/max-src-conn-rate might be a more robust solution. Peter _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by Ron Wilhoite
::
Rate this Message:
On 08/22/2009 10:57 PM Peter Maxwell wrote:
> 2009/8/23 Len Conrad <LConrad@...>: >> I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved. >> ... > Before implementing something like this, I would urge caution: if what > you're asking was actually of any use, someone else would probably > have done it properly. I can't imagine how log entries from an ftp > server, say, are going to be related to your smtp server security? If > it's a simple connection management, then > max-src-conn/max-src-conn-rate might be a more robust solution. > http://johan.fredin.info/openbsd/block_ssh_bruteforce.html explains how to use max-src-conn-rate and expiretable. # pkg_info -x expiretable Information for expiretable-0.6: Comment: Utility to remove entries from the pf(4) table based on their age Description: Expiretable is a utility used to remove entries from the pf(4) table based on their age. The age in question being the amount of time that has passed since the statistics for each entry in the target table was last cleared. WWW: http://expiretable.fnord.se/ Ron _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by Artyom Viklenko
::
Rate this Message:
Len Conrad wrote:
> I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day. > > But bruteblock, which hasn't moved in 3 years, logged a lot of errors like "failed to <ip> ..." which didn't seem to bother its effectiveness, but was concerning, and ugly. > > Anybody know of anything similar for pf? > ports/security/sshguard-pf -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@... | http://www.aws-net.org.ua/~artem artem@... | http://www.viklenko.net/~artem FreeBSD: The Power to Serve - http://www.freebsd.org _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by Len Conrad
::
Rate this Message:
>n 08/22/2009 10:57 PM Peter Maxwell wrote: >>2009/8/23 Len Conrad <LConrad@...>: >>>I'm looking for something like bruteblock that logwatches (smtp, ssh, ftp, whatever) and inserts/removes TCP block rules into pf for x hours, so the protocol daemons are involved. >... >>Before implementing something like this, I would urge caution: if what >>you're asking was actually of any use, someone else would probably >>have done it properly. I can't imagine how log entries from an ftp >>server, say, are going to be related to your smtp server security? If >>it's a simple connection management, then >>max-src-conn/max-src-conn-rate might be a more robust solution. > >http://johan.fredin.info/openbsd/block_ssh_bruteforce.html explains how to use max-src-conn-rate and expiretable. > ># pkg_info -x expiretable >Information for expiretable-0.6: > >Comment: >Utility to remove entries from the pf(4) table based on their age > >Description: >Expiretable is a utility used to remove entries from the pf(4) table >based on their age. > >The age in question being the amount of time that has passed since >the statistics for each entry in the target table was last cleared. > >WWW: http://expiretable.fnord.se/ I have no problem putting IPs into pf, it's expiring them that was blocking me, but expiretable fixes that. I don't use pf for protecting these "sacrificial" machines generally, only for reactive blocking. thanks Len _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by Nickola Kolev
::
Rate this Message:
On Sun, 23 Aug 2009 18:21:16 +0300
Artyom Viklenko <artem@...> wrote: > Len Conrad wrote: > > I've used bruteblock, which manages ipfw, for blocking SMTP > > attackers and reducing smtp connects by 10s of 1000s per day. > > > > But bruteblock, which hasn't moved in 3 years, logged a lot of > > errors like "failed to <ip> ..." which didn't seem to bother its > > effectiveness, but was concerning, and ugly. > > > > Anybody know of anything similar for pf? > > > > ports/security/sshguard-pf Mentioning that, why dont you take a look at: http://blocksshd.sourceforge.net/ -- Best regards, Nickola _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by Daniel Gerzo-3
::
Rate this Message:
Len Conrad wrote:
> I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day. > > Anybody know of anything similar for pf? security/bruteforceblocker -- S pozdravom / Best regards Daniel Gerzo, FreeBSD committer _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by Balázs Mátéffy
::
Rate this Message:
Hi guys,
I'm using bruteforceblocker at the moment on my systems, thanks for this great utility Daniel! Can you tweak it to be able to get the ips from proftpd or any other log, or its working out of the box, you just have to set it up in syslog.conf(didn't see that feature in the doc.)? Or for these things sshguard is more appropiate? Thanks, Best Regards, Repcsi 2009/8/23 Daniel Gerzo <danger@...> > Len Conrad wrote: > >> I've used bruteblock, which manages ipfw, for blocking SMTP attackers and >> reducing smtp connects by 10s of 1000s per day. >> Anybody know of anything similar for pf? >> > > security/bruteforceblocker > > -- > S pozdravom / Best regards > Daniel Gerzo, FreeBSD committer > > _______________________________________________ > freebsd-pf@... mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." > freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by Daniel Gerzo-3
::
Rate this Message:
Balázs Mátéffy wrote:
> Hi guys, > > I'm using bruteforceblocker at the moment on my systems, thanks for this > great utility Daniel! > > Can you tweak it to be able to get the ips from proftpd or any other log, or > its working out of the box, you just have to set it up in syslog.conf(didn't > see that feature in the doc.)? > > Or for these things sshguard is more appropiate? Check the /usr/local/sbin/bruteforceblocker file and edit the line which looks like the following: if (/.*Failed password.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}) port.*/i || ... You just need to add any regular expression that meets your requirements and set the syslog up so that the logs are directed to bruteforceblocker as well. -- S pozdravom / Best regards Daniel Gerzo, FreeBSD committer _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by Peter N. M. Hansteen-3
::
Rate this Message:
Igor Mozolevsky <mozolevsky@...> writes:
>> I've used bruteblock, which manages ipfw, for blocking SMTP attackers and reducing smtp connects by 10s of 1000s per day. > > [snip] > >> Anybody know of anything similar for pf? > > http://www.bgnett.no/~peter/pf/en/spamd.setup.html OP more likely wants something like state tracking with overload tables, ie http://home.nuug.no/~peter/pf/en/bruteforce.html or similar (yes, please update your bookmarks to point to the nuug site, the bgnett one is getting stale). It's worth noting that the overload tables method is not limited to specific services as long as you can dream up sensible criteria and some useful action to take on the hosts that end up in the overload list. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by George Davidovich
::
Rate this Message:
On Sun, Aug 23, 2009 at 10:49:24AM -0500, Len Conrad wrote:
> > n 08/22/2009 10:57 PM Peter Maxwell wrote: > > > 2009/8/23 Len Conrad <LConrad@...>: > > > > I'm looking for something like bruteblock that logwatches (smtp, > > > > ssh, ftp, whatever) and inserts/removes TCP block rules into pf > > > > for x hours, so the protocol daemons are involved. If you're looking for a general-purpose solution, see /usr/ports/sysutils/grok. The FreeBSD man cgi doesn't seem to want to show the manpage, so here's an alternate link for more information: http://www.semicomplete.com/projects/grok/ > > > Before implementing something like this, I would urge caution: if > > > what you're asking was actually of any use, someone else would > > > probably have done it properly. I can't imagine how log entries > > > from an ftp server, say, are going to be related to your smtp > > > server security? If it's a simple connection management, then > > > max-src-conn/max-src-conn-rate might be a more robust solution. > > > > http://johan.fredin.info/openbsd/block_ssh_bruteforce.html explains > > how to use max-src-conn-rate and expiretable. > > > > # pkg_info -x expiretable > > Information for expiretable-0.6: > > > > Comment: > > Utility to remove entries from the pf(4) table based on their age > > I have no problem putting IPs into pf, it's expiring them that was > blocking me, but expiretable fixes that. >From pfctl(8): -T command [address ...] Specify the command (may be abbreviated) to apply to the table. Commands include: ... -T expire number Delete addresses which had their statistics cleared more than number seconds ago. For entries which have never had their statistics cleared, number refers to the time they were added to the table. IIRC, the expire command was added in 7.0 or 7.1. -- George _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
|
|
Re: something like bruteblock for pf?
by Ollivier Robert
::
Rate this Message:
According to Len Conrad:
> Anybody know of anything similar for pf? postdandee does such manipulations for Postfix and you can configure it to add/remove pf rules for each address. http://traveler.com.br/blogs/ze/postdandee/ ----- ... my $BLOCKHOSTCOMMAND = 'pfctl -qt blackhole -Tadd $offendingHost 2>\&1 > /dev/null'; my $RELEASEHOSTCOMMAND = 'pfctl -qt blackhole -Tdelete $offendingHost 2>\&1 > /dev/null'; # $ROUTECHECKCOMMAND : # the command you'd like to use when checking for existing routes # postdandee will not try to add a route over an existing one my $ROUTECHECKCOMMAND = 'pfctl -qt blackhole -Tshow'; ... ----- -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@... In memoriam to Ondine : http://ondine.keltia.net/ _______________________________________________ freebsd-pf@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@..." |
| Free embeddable forum powered by Nabble | Forum Help |
