PF to Preventing SMTP Brute Force Attacks

Shiv. Nath prabhpal at digital-infotech.net
Fri Jun 15 16:55:37 UTC 2012 

> Limiting yourself to 200 states won't protect you very much -- you tend
> to get a whole series of attacks from the same IP, and that just uses
> one state at a time.
>
> Instead, look at the frequency with which an attacker tries to connect
> to you.  Something like this:
>
> table <bruteforce> persist
>
> [...]
>
> block in log quick from <bruteforce>
>
> [...]
>
> pass in on $ext_if proto tcp                     \
>      from any to $ext_if port $trusted_tcp_ports \
>      flags S/SA keep state                       \
>      (max-src-conn-rate 3/300, overload <bruteforce> flush global)
>
> Plus you'll need a cron job like this to clean up the bruteforce table,
> otherwise it will just grow larger and larger:
>
> */12 * * * *	/sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null
> 2>&1
>
> The end result of this is that if one IP tries to connect to you more
> than 3 times in 5 minutes, they will get blacklisted.  I normally use
> this just for ssh, so you might want to adjust the parameters
> appropriately.  You should also implement a whitelist for IP ranges you
> control or use frequently and that will never be used for bruteforce
> attacks: it is quite easy to block yourself out with these sort of rules.
>
> 	Cheers,
>
> 	Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                   Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
> JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW


Dear Mattthew,

Grateful for sending me in right direction, solution really sounds well.
Does it look good configuration for "/etc/pf.conf" ?

# START
table bruteforce persist
block in log quick from bruteforce

pass in on $ext_if proto tcp \
from any to $ext_if port $trusted_tcp_ports \
flags S/SA keep state \
(max-src-conn-rate 3/300, overload bruteforce flush global)

# END

AND CRON:
*/12 * * * *	/sbin/pfctl -t ssh-bruteforce -T expire 604800 >/dev/null
2>&1

What is the function "expire 604800" are they entries in the table?
should it be -t bruteforce or -t ssh-bruteforce

Thanks

More information about the freebsd-stable mailing list