Automaticaly block IPs with PF

[DNAeon]

Hi,

I frequently check my logs and there are always some ips that are trying to get access to my system using bruteforce or some other scripts. I have never needed a tool to examine my logs and report such attacks, cause I'm looking at my logs very frequently, but now when I won't have that opportunity ( I won't be at home for a certain time ), I'd like to use such a tool that examines the logs and blocks..

What I'm using right now is a table in PF that reads /etc/blocked_ips and blocks each ip listed in the file.

Code:

# --- block every ip from /etc/blocked_ips file ---
table <blocked_ips> persist file "/etc/blocked_ips"

# --- block every ip from /etc/blocked_ips file
block in log quick on $ext_if from <blocked_ips> to any

I'd like to use a script that examines for bad ssh logins (/var/log/auth), bad smtp attempts (/var/log/maillog), etc..

I want to ask you - what kind of automatic protection are you using? Some kind of a self-written scripts, or some ports that examines the logs and put the bad ips in file?

Thanks!

[DutchDaemon]

I have several scripts hanging off of different syslog categories and logfiles, which are manipulating several pf tables on the fly, but there are tools like sysutils/grok as well.

[jggimi]

I use state table management (overload ... flush) in PF filter rules, in combination with a set of scripts.

[DNAeon]

Can you, please show me some of your custom protection scripts that you use with PF?

[jggimi]

I'll post a few examples once I have access. I am behind a restrictive firewall at the moment.

[jggimi]

Here's an example of using overload...flush to block script kiddie ssh attacks. Any IP address who connects too often too quickly will have their state(s) killed, and they'll be added to the ssh-badguys table:

Code:

# Allow inbound ssh, block more than 3 connections in 30 seconds. 
#
pass in log on $external_nic proto tcp to any port ssh \
    keep state (max-src-conn-rate 3/30, \
    overload <ssh-badguys> flush global)

The ssh-badguys table is temporary. Here's a script that adds the IP address(es) from either the ssh-badguys or ftp-badguys tables into a single, large and permanent badguys table, updates a database with the IP address(es), date/time of the block and a reason for the block. The ftp-badguys table is no longer used, though, as I run a modified ftpd(8) instead, which drops connections from abusers so I don't need it unless I want to restart blocking them from all access. So far, these have all been script kiddies who have scripts that, without my mod, will loop forever attempting to log on to "Administrator":

Code:

#!/usr/bin/perl
# run by cron every 5 mins

# examine ssh-badguys table, if any records:
# 1) add to badguys
# 2) delete from ssh-badguys
# 3) update database

@ssh = `pfctl -t ssh-badguys -T show`;
foreach (@ssh) {
    my $ip = substr($_, 0, -1); # strip the newline char from the end
    system("pfctl -t badguys -T add $ip");
    system("pfctl -t ssh-badguys -T dele $ip");
    system("/root/blocked-add.pl $ip ssh cron");
    print "badguys: $ip added to table - ssh attack";
}

# examine ftp-badguys table, if any records:
# 1) add to badguys
# 2) delete from ftp-badguys
# 3) update database

@ftp = `pfctl -t ssh-badguys -T show`;
foreach (@ftp) {
    my $ip = substr($_, 0, -1); # strip the newline char from the end
    system("pfctl -t badguys -T add $ip");
    system("pfctl -t ftp-badguys -T dele $ip");
    system("/root/blocked-add.pl $ip ftp cron");
    print "badguys: $ip added to table - ftp attack";
}

Of course, shutting down the system requires putting the badguys table into a file for loading on reboot. Here's an excerpt from /etc/rc.shutdown:

Code:

# do a final update to badguys table, and then
# copy the badguys table to disk
#
# ---> if shutdown during single user, badguys may be 0 bytes.  Don't
# ---> overlay file if so.
#
pfctl -t badguys -T show > /tmp/badguys
test -s /tmp/badguys && /root/badguys.pl && \
    pfctl -t badguys -T show > /etc/badguys && \
    chmod 660 /etc/badguys

Lastly, I'd had trouble with ftpd(8), and used to have a cron job that monitored ftp console sessions, killing any states from IP addresses that exceeded some number of bytes in console sessions, and updating an ftp-badguys table.

I eventually decided that a patch to ftpd would solve my problem with less overhead, and submitted it to the tech@ mailing list. Part of it was accepted, but not the part that was actually useful -- dropping the connection -- so I run with this (-current) patch:

Code:

Index: ftpd.c
===================================================================
RCS file: /cvs/src/libexec/ftpd/ftpd.c,v
retrieving revision 1.185
diff -u -r1.185 ftpd.c
--- ftpd.c    30 Sep 2008 16:16:21 -0000    1.185
+++ ftpd.c    8 Oct 2008 01:30:51 -0000
@@ -825,7 +825,8 @@
         checkuser(_PATH_FTPCHROOT, name);
     if (anon_only && !dochroot) {
         reply(530, "User %s access denied.", name);
-        return;
+        dologout(0);
+        /* NOTREACHED */
     }
     if (pw) {
         if ((!shell && !dochroot) || checkuser(_PATH_FTPUSERS, name)) {

[jggimi]

I neglected to mention my patch to ftpd(8) was for OpenBSD; something similar could be worked up for FreeBSD's ftpd(8).

[glenbarber]

I personally use security/sshguard-pf to automatically create tables of IP addresses to block.