pf not stopping bruteforce attempts
Clash Royale CLAN TAG#URR8PPP
I am setting up an SFTP server for me and my friends and I am trying to stop brute force attempts.
I have read many articles on how to get pf to stop brute force attacks and am not having any luck.
I am running OpenBSD 6.4
Here is my current /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 s then Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto tcp udp user _pbuild
ext_if="em0"
antispoof quick for ($ext_if) #No IP or GPS SPOOFING allowed here :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp to any:network port 22
keep state (max-src-conn 10, max-src-conn-rate 5/5,
overload <bruteforce> flush global)
table <ssh_block> persist
block quick from <ssh_block> to any
When I checked the tables brute-force and ssh_block they didn't exist. So on ssh_block
I ran the command
pfctl -t ssh_block -T add 218.92.1.138
1 table created.
1/1 addresses added.
pfctl -t ssh_block -T show
218.92.1.138
However my /var/log/authlog is still filling up with attempts from that ip address.
What am I missing?
ssh security openbsd pf
edited Dec 19 '18 at 18:41
Rui F Ribeiro
39k1479129
asked Dec 19 '18 at 16:13
babyPenguin
33
add a comment |
I am setting up an SFTP server for me and my friends and I am trying to stop brute force attempts.
I have read many articles on how to get pf to stop brute force attacks and am not having any luck.
I am running OpenBSD 6.4
Here is my current /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 s then Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto tcp udp user _pbuild
ext_if="em0"
antispoof quick for ($ext_if) #No IP or GPS SPOOFING allowed here :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp to any:network port 22
keep state (max-src-conn 10, max-src-conn-rate 5/5,
overload <bruteforce> flush global)
table <ssh_block> persist
block quick from <ssh_block> to any
When I checked the tables brute-force and ssh_block they didn't exist. So on ssh_block
I ran the command
pfctl -t ssh_block -T add 218.92.1.138
1 table created.
1/1 addresses added.
pfctl -t ssh_block -T show
218.92.1.138
However my /var/log/authlog is still filling up with attempts from that ip address.
What am I missing?
ssh security openbsd pf
edited Dec 19 '18 at 18:41
Rui F Ribeiro
39k1479129
asked Dec 19 '18 at 16:13
babyPenguin
33
Did you reboot or runpfctl -f /etc/pf.confafter modifying that file?
– Kusalananda
Dec 19 '18 at 16:32
I had an error on the configno IP address found for any:network/etc/pf.conf:22: could not parse host specificationpfctl: Syntax error in config file: pf rules not loadedI commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty
– babyPenguin
Dec 19 '18 at 16:46
1
You can't use:networkonany, I think. I just usepass in on egress proto tcp to any port ssh(etc.)
– Kusalananda
Dec 19 '18 at 16:50
1
@Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
– babyPenguin
Dec 19 '18 at 18:22
add a comment |
I am setting up an SFTP server for me and my friends and I am trying to stop brute force attempts.
I have read many articles on how to get pf to stop brute force attacks and am not having any luck.
I am running OpenBSD 6.4
Here is my current /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 s then Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto tcp udp user _pbuild
ext_if="em0"
antispoof quick for ($ext_if) #No IP or GPS SPOOFING allowed here :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp to any:network port 22
keep state (max-src-conn 10, max-src-conn-rate 5/5,
overload <bruteforce> flush global)
table <ssh_block> persist
block quick from <ssh_block> to any
When I checked the tables brute-force and ssh_block they didn't exist. So on ssh_block
I ran the command
pfctl -t ssh_block -T add 218.92.1.138
1 table created.
1/1 addresses added.
pfctl -t ssh_block -T show
218.92.1.138
However my /var/log/authlog is still filling up with attempts from that ip address.
What am I missing?
ssh security openbsd pf
edited Dec 19 '18 at 18:41
Rui F Ribeiro
39k1479129
asked Dec 19 '18 at 16:13
babyPenguin
33
I am setting up an SFTP server for me and my friends and I am trying to stop brute force attempts.
I have read many articles on how to get pf to stop brute force attacks and am not having any luck.
I am running OpenBSD 6.4
Here is my current /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 s then Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto tcp udp user _pbuild
ext_if="em0"
antispoof quick for ($ext_if) #No IP or GPS SPOOFING allowed here :)
table <bruteforce> persist
block quick from <bruteforce>
pass inet proto tcp to any:network port 22
keep state (max-src-conn 10, max-src-conn-rate 5/5,
overload <bruteforce> flush global)
table <ssh_block> persist
block quick from <ssh_block> to any
When I checked the tables brute-force and ssh_block they didn't exist. So on ssh_block
I ran the command
pfctl -t ssh_block -T add 218.92.1.138
1 table created.
1/1 addresses added.
pfctl -t ssh_block -T show
218.92.1.138
However my /var/log/authlog is still filling up with attempts from that ip address.
What am I missing?
ssh security openbsd pf
ssh security openbsd pf
edited Dec 19 '18 at 18:41
Rui F Ribeiro
39k1479129
asked Dec 19 '18 at 16:13
babyPenguin
33
edited Dec 19 '18 at 18:41
Rui F Ribeiro
39k1479129
asked Dec 19 '18 at 16:13
babyPenguin
33
edited Dec 19 '18 at 18:41
Rui F Ribeiro
39k1479129
edited Dec 19 '18 at 18:41
Rui F Ribeiro
39k1479129
edited Dec 19 '18 at 18:41
Rui F Ribeiro
39k1479129
39k1479129
asked Dec 19 '18 at 16:13
babyPenguin
33
asked Dec 19 '18 at 16:13
babyPenguin
33
asked Dec 19 '18 at 16:13
babyPenguin
33
33
Did you reboot or runpfctl -f /etc/pf.confafter modifying that file?
– Kusalananda
Dec 19 '18 at 16:32
I had an error on the configno IP address found for any:network/etc/pf.conf:22: could not parse host specificationpfctl: Syntax error in config file: pf rules not loadedI commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty
– babyPenguin
Dec 19 '18 at 16:46
1
You can't use:networkonany, I think. I just usepass in on egress proto tcp to any port ssh(etc.)
– Kusalananda
Dec 19 '18 at 16:50
1
@Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
– babyPenguin
Dec 19 '18 at 18:22
add a comment |
Did you reboot or runpfctl -f /etc/pf.confafter modifying that file?
– Kusalananda
Dec 19 '18 at 16:32
I had an error on the configno IP address found for any:network/etc/pf.conf:22: could not parse host specificationpfctl: Syntax error in config file: pf rules not loadedI commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty
– babyPenguin
Dec 19 '18 at 16:46
1
You can't use:networkonany, I think. I just usepass in on egress proto tcp to any port ssh(etc.)
– Kusalananda
Dec 19 '18 at 16:50
1
@Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
– babyPenguin
Dec 19 '18 at 18:22
Did you reboot or run
pfctl -f /etc/pf.conf after modifying that file?– Kusalananda
Dec 19 '18 at 16:32
Did you reboot or run
pfctl -f /etc/pf.conf after modifying that file?– Kusalananda
Dec 19 '18 at 16:32
I had an error on the config
no IP address found for any:network /etc/pf.conf:22: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded I commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty– babyPenguin
Dec 19 '18 at 16:46
I had an error on the config
no IP address found for any:network /etc/pf.conf:22: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded I commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty– babyPenguin
Dec 19 '18 at 16:46
1
1
You can't use
:network on any, I think. I just use pass in on egress proto tcp to any port ssh (etc.)– Kusalananda
Dec 19 '18 at 16:50
You can't use
:network on any, I think. I just use pass in on egress proto tcp to any port ssh (etc.)– Kusalananda
Dec 19 '18 at 16:50
1
1
@Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
– babyPenguin
Dec 19 '18 at 18:22
@Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
– babyPenguin
Dec 19 '18 at 18:22
add a comment |
1 Answer
1
active
oldest
votes
The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).
An example of using pf for blocking brute-force connections is given in the OpenBSD PF FAQ, and it boils down to the rules (modified from originally being a www example to something I am using for ssh):
table <bruteforce> persist
block in quick from <bruteforce>
pass in on egress proto tcp to any port ssh flags S/SA keep state
(max-src-conn 5, max-src-conn-rate 5/30,
overload <bruteforce> flush global)
This would put any host that connects more often than five times every 30 seconds into the <bruteforce> table, which would block it. It also only allows five connections per source address.
Another option is to use SSHGuard. There is a port of SSHGuard for OpenBSD, but it's very old (release 1.5 from 2011). I've just (a few minutes ago) submitted an update to it which will hopefully be committed within a few days.
answered Dec 19 '18 at 18:35
Kusalananda
121k16229372
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f489952%2fpf-not-stopping-bruteforce-attempts%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).
An example of using pf for blocking brute-force connections is given in the OpenBSD PF FAQ, and it boils down to the rules (modified from originally being a www example to something I am using for ssh):
table <bruteforce> persist
block in quick from <bruteforce>
pass in on egress proto tcp to any port ssh flags S/SA keep state
(max-src-conn 5, max-src-conn-rate 5/30,
overload <bruteforce> flush global)
This would put any host that connects more often than five times every 30 seconds into the <bruteforce> table, which would block it. It also only allows five connections per source address.
Another option is to use SSHGuard. There is a port of SSHGuard for OpenBSD, but it's very old (release 1.5 from 2011). I've just (a few minutes ago) submitted an update to it which will hopefully be committed within a few days.
answered Dec 19 '18 at 18:35
Kusalananda
121k16229372
add a comment |
The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).
An example of using pf for blocking brute-force connections is given in the OpenBSD PF FAQ, and it boils down to the rules (modified from originally being a www example to something I am using for ssh):
table <bruteforce> persist
block in quick from <bruteforce>
pass in on egress proto tcp to any port ssh flags S/SA keep state
(max-src-conn 5, max-src-conn-rate 5/30,
overload <bruteforce> flush global)
This would put any host that connects more often than five times every 30 seconds into the <bruteforce> table, which would block it. It also only allows five connections per source address.
Another option is to use SSHGuard. There is a port of SSHGuard for OpenBSD, but it's very old (release 1.5 from 2011). I've just (a few minutes ago) submitted an update to it which will hopefully be committed within a few days.
answered Dec 19 '18 at 18:35
Kusalananda
121k16229372
add a comment |
The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).
An example of using pf for blocking brute-force connections is given in the OpenBSD PF FAQ, and it boils down to the rules (modified from originally being a www example to something I am using for ssh):
table <bruteforce> persist
block in quick from <bruteforce>
pass in on egress proto tcp to any port ssh flags S/SA keep state
(max-src-conn 5, max-src-conn-rate 5/30,
overload <bruteforce> flush global)
This would put any host that connects more often than five times every 30 seconds into the <bruteforce> table, which would block it. It also only allows five connections per source address.
Another option is to use SSHGuard. There is a port of SSHGuard for OpenBSD, but it's very old (release 1.5 from 2011). I've just (a few minutes ago) submitted an update to it which will hopefully be committed within a few days.
answered Dec 19 '18 at 18:35
Kusalananda
121k16229372
The issue was an error in the /etc/pf.conf file that prevented the firewall from loading its configuration at all (:network applies to a specific interface).
An example of using pf for blocking brute-force connections is given in the OpenBSD PF FAQ, and it boils down to the rules (modified from originally being a www example to something I am using for ssh):
table <bruteforce> persist
block in quick from <bruteforce>
pass in on egress proto tcp to any port ssh flags S/SA keep state
(max-src-conn 5, max-src-conn-rate 5/30,
overload <bruteforce> flush global)
This would put any host that connects more often than five times every 30 seconds into the <bruteforce> table, which would block it. It also only allows five connections per source address.
Another option is to use SSHGuard. There is a port of SSHGuard for OpenBSD, but it's very old (release 1.5 from 2011). I've just (a few minutes ago) submitted an update to it which will hopefully be committed within a few days.
answered Dec 19 '18 at 18:35
Kusalananda
121k16229372
edited Dec 19 '18 at 18:46
answered Dec 19 '18 at 18:35
Kusalananda
121k16229372
answered Dec 19 '18 at 18:35
Kusalananda
121k16229372
answered Dec 19 '18 at 18:35
Kusalananda
121k16229372
121k16229372
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f489952%2fpf-not-stopping-bruteforce-attempts%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Did you reboot or run
pfctl -f /etc/pf.confafter modifying that file?– Kusalananda
Dec 19 '18 at 16:32
I had an error on the config
no IP address found for any:network/etc/pf.conf:22: could not parse host specificationpfctl: Syntax error in config file: pf rules not loadedI commented out my other block rule. No errors now. however after I rebooted the server my ssh_block table is empty– babyPenguin
Dec 19 '18 at 16:46
1
You can't use
:networkonany, I think. I just usepass in on egress proto tcp to any port ssh(etc.)– Kusalananda
Dec 19 '18 at 16:50
1
@Kusalananda please make that an answer and I will accept it. I haven't received any more attempts from that IP address.
– babyPenguin
Dec 19 '18 at 18:22