Hello!
I've a strange problem with PF's rules. So, here it is:
I've configured fail2ban to guard my asterisk service and added 1 table and 2 rules for PF:
I've started asterisk, fail2ban and the PF rules.
Aaaaaand the asterisk log is full of a bruteforcer trying his/her hardest.
The IP of the bruteforcer is already in the <fail2ban> table, as the output below shows.
Here's the output of
I've replaced the IP of the asterisk server with 'blahblah' and the other IP with xx.xxx.xxx.xxx. Evaluations are there, but there are no matches.
Here's my pf.conf:
So whatthe hell is wrong?
I've a strange problem with PF's rules. So, here it is:
I've configured fail2ban to guard my asterisk service and added 1 table and 2 rules for PF:
Code:
table <fail2ban> persist
block drop in quick on em1 proto {tcp udp} from <fail2ban> to any
block drop in quick on em1 proto {tcp udp} from any to <fail2ban>I've started asterisk, fail2ban and the PF rules.
Aaaaaand the asterisk log is full of a bruteforcer trying his/her hardest.
Code:
[Feb 25 16:59:56] NOTICE[10297]: chan_sip.c:17045 handle_request_register: Registration from '"163870"<sip:163870@blahblah>' failed for 'xxx.xxx.xxx.xxx' - No matching peer found
[Feb 25 16:59:56] NOTICE[10297]: chan_sip.c:17045 handle_request_register: Registration from '"163871"<sip:163871@blahblah>' failed for 'xxx.xxx.xxx.xxx' - No matching peer found
[Feb 25 16:59:56] NOTICE[10297]: chan_sip.c:17045 handle_request_register: Registration from '"163872"<sip:163872@blahblah>' failed for 'xxx.xxx.xxx.xxx' - No matching peer found
[Feb 25 16:59:56] NOTICE[10297]: chan_sip.c:17045 handle_request_register: Registration from '"163873"<sip:163873@blahblah>' failed for 'xxx.xxx.xxx.xxx' - No matching peer found
[Feb 25 16:59:56] NOTICE[10297]: chan_sip.c:17045 handle_request_register: Registration from '"163874"<sip:163874@blahblah>' failed for 'xxx.xxx.xxx.xxx' - No matching peer foundThe IP of the bruteforcer is already in the <fail2ban> table, as the output below shows.
Code:
blahblah# pfctl -t fail2ban -T show
No ALTQ support in kernel
ALTQ related functions disabled
xxx.xxx.xxx.xxx
blahblah#Here's the output of
pfctl -vvv -s rules:
Code:
blahblah# pfctl -vvv -s rules
No ALTQ support in kernel
ALTQ related functions disabled
@0 block drop in quick on em1 proto tcp from <fail2ban:1> to any
[ Evaluations: 27837 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@1 block drop in quick on em1 proto udp from <fail2ban:1> to any
[ Evaluations: 261 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@2 block drop in quick on em1 proto tcp from any to <fail2ban:1>
[ Evaluations: 5968 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@3 block drop in quick on em1 proto udp from any to <fail2ban:1>
[ Evaluations: 261 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@4 block return out log quick on ! lo0 inet from 127.0.0.0/8 to any
[ Evaluations: 27837 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@5 block return in log quick on ! lo0 inet from any to 127.0.0.0/8
[ Evaluations: 26999 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@6 pass out on lo0 all flags S/SA keep state (if-bound)
[ Evaluations: 27837 Packets: 13571 Bytes: 20462531 States: 31 ]
[ Inserted: uid 0 pid 10518 ]
@7 pass in on lo0 all flags S/SA keep state (if-bound)
[ Evaluations: 838 Packets: 13569 Bytes: 20462427 States: 31 ]
[ Inserted: uid 0 pid 10518 ]
@8 pass in on em1 inet proto udp from any to blahblah port = 1194 keep state (if-bound)
[ Evaluations: 27417 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@9 pass in on em1 inet proto udp from 9xx.xxx.xxx.xxx to blahblah port = sip keep state (if-bound)
[ Evaluations: 256 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@10 pass in on em1 inet proto udp from 1xx.xxx.xxx.xxx to blahblah port = sip keep state (if-bound)
[ Evaluations: 256 Packets: 121 Bytes: 65574 States: 1 ]
[ Inserted: uid 0 pid 10518 ]
@11 pass in quick on em1 inet proto tcp from 6xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
[ Evaluations: 5968 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@12 pass in quick on em1 inet proto tcp from 8xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
[ Evaluations: 5707 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@13 pass in quick on em1 inet proto tcp from 7xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
[ Evaluations: 5707 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@14 pass in quick on em1 inet proto tcp from 4xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
[ Evaluations: 5707 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@15 pass in quick on em1 inet proto tcp from 8xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
[ Evaluations: 5707 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@16 pass in quick on em1 inet proto tcp from 1xx.xxx.xxx.xxx to blahblah port = http flags S/SA keep state (if-bound)
[ Evaluations: 5707 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@17 pass in quick on em1 inet proto tcp from 1xx.xxx.xxx.xxx to blahblah port = http flags S/SA keep state (if-bound)
[ Evaluations: 5707 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@18 pass in quick on em1 inet proto tcp from 4xx.xxx.xxx.xxx to blahblah port = http flags S/SA keep state (if-bound)
[ Evaluations: 5707 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@19 pass in quick on em1 inet proto tcp from 8xx.xxx.xxx.xxx to blahblah port = http flags S/SA keep state (if-bound)
[ Evaluations: 5707 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@20 pass in quick on em1 inet proto tcp from 4xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
[ Evaluations: 5709 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@21 pass in quick on em1 inet proto tcp from 8xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
[ Evaluations: 5709 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@22 pass in quick on em1 inet proto tcp from 6xx.xxx.xxx.xxx to blahblah port = ssh flags S/SA keep state (if-bound)
[ Evaluations: 5709 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@23 block return in quick on em1 inet proto tcp from any to blahblah port = ssh
[ Evaluations: 5709 Packets: 1 Bytes: 40 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@24 block return in quick on em1 inet proto tcp from any to blahblah port = imap
[ Evaluations: 5708 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@25 block return in quick on em1 inet proto tcp from any to blahblah port = pop3s
[ Evaluations: 5708 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@26 block return in quick on em1 inet proto tcp from any to blahblah port = ftp-data
[ Evaluations: 5708 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
@27 block return in quick on em1 inet proto tcp from any to blahblah port = 3128
[ Evaluations: 5708 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 10518 ]
blahblah#I've replaced the IP of the asterisk server with 'blahblah' and the other IP with xx.xxx.xxx.xxx. Evaluations are there, but there are no matches.
Here's my pf.conf:
Code:
ext_if="em1"
external_addr="blahblah"
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 100000, frags 5000 }
set loginterface em1
set optimization normal
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
set state-policy if-bound
table <fail2ban> persist
block drop in quick on em1 proto {tcp udp} from <fail2ban> to any
block drop in quick on em1 proto {tcp udp} from any to <fail2ban>
##LO0 Protect
block out quick log on !lo0 from 127.0.0.0/8 to any
block in quick log on !lo0 from any to 127.0.0.0/8
pass out on lo0 all
pass in on lo0 all
pass in on $ext_if proto udp from any to $external_addr port 1194
pass in on $ext_if proto udp from 9xx.xxx.xxx.xxx to $external_addr port 5060
pass in on $ext_if proto udp from 1xx.xxx.xxx.xxx to $external_addr port 5060
pass in quick on $ext_if proto tcp from 6xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 8xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 7xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 4xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 8xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 1xx.xxx.xxx.xxx to $external_addr port 80
pass in quick on $ext_if proto tcp from 1xx.xxx.xxx.xxx to $external_addr port 80
pass in quick on $ext_if proto tcp from 4xx.xxx.xxx.xxx to $external_addr port 80
pass in quick on $ext_if proto tcp from 8xx.xxx.xxx.xxx to $external_addr port 80
pass in quick on $ext_if proto tcp from 4xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 8xx.xxx.xxx.xxx to $external_addr port 22
pass in quick on $ext_if proto tcp from 6xx.xxx.xxx.xxx to $external_addr port 22
block in quick on $ext_if proto tcp from any to $external_addr port 22
block in quick on $ext_if proto tcp from any to $external_addr port 143
block in quick on $ext_if proto tcp from any to $external_addr port 995
block in quick on $ext_if proto tcp from any to $external_addr port 20
block in quick on $ext_if proto tcp from any to $external_addr port 3128
Code:
FreeBSD blahblah 8.2-RELEASE-p9 FreeBSD 8.2-RELEASE-p9 #0: Mon Jun 11 23:00:11 UTC 2012So what
