Packet Filter: Fighting Against Brute Force Attacks
Introduction
You've probably seen brute force connection attempts in your connection logs (sshd, httpd, ftpd, etc.). This is annoying, fills up your logs, and makes your server work harder than it needs to.
Fortunately, Daniel Hartmeier thought of you and added convenient options to his famous PacketFilter firewall, affectionately nicknamed PF. These options are 'max-src-conn-rate' and 'max-src-conn', which are used in combination with 'overload'. These options are available in PF starting with OpenBSD 3.7, FreeBSD 6.0, and NetBSD 2.0.
PF Configuration
This is configured in the PF configuration file, /etc/pf.conf
. I'll give an example for SSH, but the principle is the same for other ports.
Previously, to authorize SSH connections from outside, you would have a line that looked like this (with $external being the name of your external network interface):
Simply replace this line with:
In order:
- We create a table that will store the attackers' IPs
- We block everything coming from these IPs
- We allow SSH connections if there are fewer than 2 connection attempts in 10 seconds
- Otherwise, we register the IP in the table and destroy all connections corresponding to that IP
Obviously, you can customize the frequency of connection attempts and also use 'max-src-conn' to limit the total number of connections from an IP.
That's it - enjoy the tranquility, and say goodbye to mindless attacks!
Managing Blacklisted IPs
To display the list of blacklisted IPs:
To remove a blacklisted IP or all IPs:
Adding a Whitelist
For those who wish to add a whitelist, here are the lines to add:
Here, the /etc/ssh/whitelist
file must be filled with the IPs to whitelist.
Configuration Example
If this isn't clear enough, here's a configuration example:
Here, the last rule between whitelist and blacklist is whitelist. This is because the last matching rule takes precedence. This allows us to connect even if we get blacklisted because we failed to connect after x attempts, as long as we're in the whitelist.
Don't forget to reload the configuration:
References
http://www.openbsd.org/faq/pf/fr/filter.html
http://wiki.gcu.info/doku.php?id=bsd:pf_et_bruteforce&s=ssh