Solved Eventually they will find what they are looking for (setting up fail2ban with pf)

[Aknot]

Hello,

I got some really valuable help earlier, improving pf rules for a web server, thanks again for that.
I want to continue try making the life hard for some malicious beings out there.

Example:

tcpdump -n -e -ttt -r /var/log/pflog

00:00:03.008672 rule 16/0(match): block in on vmx0: 141.98.10.136.51361 > 203.0.113.254: Flags [SEW]
00:00:05.999539 rule 16/0(match): block in on vmx0: 141.98.10.136.51361 > 203.0.113.254: Flags [S]
00:06:42.195216 rule 16/0(match): block in on vmx0: 141.98.10.235.56255 > 203.0.113.254: Flags [SEW]
00:00:02.986042 rule 16/0(match): block in on vmx0: 141.98.10.235.56255 > 203.0.113.254: Flags [SEW]

Eventually they will find the open SSH port.
The password is luckily so long and complicated, it's impossible to even remember.

But I feel the need of installing security/py-fail2ban or similar, to stop the scans for open ports.
I saw that it was important to add anchor "f2b/*" when configuring pf.conf.

Is there anything else good knowing before starting setting up fail2ban?
Thank you,

 

[covacat]

Hello,

I got some really valuable help earlier, improving pf rules for a web server, thanks again for that.
I want to continue try making the life hard for some malicious beings out there.

Example:

tcpdump -n -e -ttt -r /var/log/pflog

00:00:03.008672 rule 16/0(match): block in on vmx0: 141.98.10.136.51361 > 203.0.113.254: Flags [SEW]
00:00:05.999539 rule 16/0(match): block in on vmx0: 141.98.10.136.51361 > 203.0.113.254: Flags [S]
00:06:42.195216 rule 16/0(match): block in on vmx0: 141.98.10.235.56255 > 203.0.113.254: Flags [SEW]
00:00:02.986042 rule 16/0(match): block in on vmx0: 141.98.10.235.56255 > 203.0.113.254: Flags [SEW]

Eventually they will find the open SSH port.
The password is luckily so long and complicated, it's impossible to even remember.

But I feel the need of installing fail2ban or similar, to stop the scans for open ports.
I saw that it was important to add anchor "f2b/*" when configuring pf.conf.

Is there anything else good knowing before starting setting up fail2ban?
Thank you,

whitelist your lan

 

[suntzu00]

or you can use blacklistd(8) which is in base

 

[SirDice]

I like security/sshguard a little more, less dependencies. But it also has a lot less features, in this regard Fail2Ban is much more versatile as you can even create your own detection rules.

 

[Aknot]

Snuck off to work and installed security/sshguard

# service sshguard status => sshguard is running as pid 97095.

Added the following to pf.conf

### SSH GUARD
table <sshguard> persist
block in proto tcp from <sshguard>

In sshguard.conf I have

#!/bin/sh
# sshguard.conf -- SSHGuard configuration
BACKEND="/usr/local/libexec/sshg-fw-pf"
FILES="/var/log/auth.log"
THRESHOLD=30
BLOCK_TIME=120
DETECTION_TIME=1800
IPV6_SUBNET=128
IPV4_SUBNET=32
PID_FILE=/var/run/sshguard.pid
BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
WHITELIST_FILE=/usr/local/etc/sshguard.whitelist

pfctl -t sshguard -T isn't showing anything.
So I guess I'll just have to wait (or install and run nmap from another network).

 

[VladiBG]

The password is luckily so long and complicated, it's impossible to even remember.

Did you ever consider to stop using passwords for SSH login and migrate to SSH key based authentication?

 

[Aknot]

Did you ever consider to stop using passwords for SSH login and migrate to SSH key based authentication?

VladiBG Actually I have, I think that will be the next step from here.

 

[kisscool-fr]

I like security/sshguard a little more, less dependencies. But it also has a lot less features, in this regard Fail2Ban is much more versatile as you can even create your own detection rules.

It's also possible in sshguard to add new rules but that's not as easy. You have to play with code lines :/

Snuck off to work and installed security/sshguard

# service sshguard status => sshguard is running as pid 97095.

Added the following to pf.conf

### SSH GUARD
table <sshguard> persist
block in proto tcp from <sshguard>

I would set block rule for sshguard table with "quick" keyword and put it as early as possible. Oh and probably not limit to tcp protocol.

pfctl -t sshguard -T isn't showing anything.
So I guess I'll just have to wait (or install and run nmap from another network).

You can monitor in auth.log or messages log files what sshguard is doing.

 

[Aknot]

You can monitor in auth.log or messages log files what sshguard is doing.

You're right

# tail /var/log/auth.log
May  9 09:53:37 srv05 sshd[98207]: Bad protocol version identification '\003' from 185.0.0.0 port 65149
May  9 09:53:37 srv05 sshguard[97098]: Attack from "185.0.0.0" on service SSH with danger 10.

 

[Aknot]

I made the changes recommended by kisscool-fr and everything seems to be working just fine.

Now is this stuck in my head instead:
How does security/sshguard tell pf what to block, by just adding a table name in pf.conf?

table <sshguard> persist

Is the table <sshguard> loaded into memory from sshguard, and how does pf fetch it? ?
My other blacklist in pf.conf is loaded by pointing to a file, that's more understandable

table <blockedips> persist file "/usr/local/etc/pf.blocked.ip.conf"

The man page sshguard-setup(7) just states:

SSHGuard adds attackers to table <sshguard>

Thank you everyone,

 

[SirDice]

How does security/sshguard tell pf what to block, by just adding a table name in pf.conf?

Is the table <sshguard> loaded into memory from sshguard, and how does pf fetch it?

sshguard just adds to the table with a command similar to this: pfctl -t sshguard -T add <ip address>. The tables from PF are stored in memory, so you can easily manipulate them. You'll need a rule like this:

block in quick on $ext_if from <sshguard> to any

Fail2ban works slightly different, it 'injects' complete block rules at the anchor point in PF.

 

[Aknot]

sshguard just adds to the table with a command similar to this: pfctl -t sshguard -T add <ip address>. The tables from PF are stored in memory, so you can easily manipulate them. You'll need a rule like this:

block in quick on $ext_if from <sshguard> to any

Fail2ban works slightly different, it 'injects' complete block rules at the anchor point in PF.

Thanks for clearing that out SirDice