No FreeBSD, estou tentando bloquear tentativas de força bruta via ssh com pf na porta 22 usando esta regra:
table <bruteforce> persist
pass log inet proto tcp from any to any port 22 flags S/SA keep state \
(max-src-conn 3, max-src-conn-rate 3/60, \
overload <bruteforce> flush global)
block in quick from <bruteforce>
Já carreguei a configuração com doas pfctl -f /etc/pf.confe habilitei o pf com doas pfctl -e. Estou tentando executar ataques de força bruta SSH de um PC diferente do servidor onde estou configurando o firewall (usando SSH). No entanto, quando executo o comando doas pfctl -t bruteforce -T showno servidor, não obtenho nenhum resultado. O bruteforce está sendo executado usando este comando:
hydra -l test -P word.txt 192.168.178.82 ssh
Usando o comando doas tcpdump -i em0 port 22eu vejo as requisições.
O arquivo /etc/pf.confé configurado assim:
set block-policy return
scrub in all fragment reassemble no-df max-mss 1440
nat on em0 from 10.0.0.0/24 to any -> (em0)
set skip on lo0
block in all
block out all
block in quick inet6 all
block out quick inet6 all
pass in quick proto tcp from 192.168.178.0/24 to any port 22 keep state
pass in quick proto tcp to any port 443 keep state
pass out quick proto tcp to any port 443 keep state
pass in quick proto tcp from 127.0.0.1 to 127.0.0.1 port 8080 keep state
pass out quick proto udp from any to any port 53
pass in quick proto udp from any to any port 53
pass out quick on epair1a
pass in quick on epair1a from em0 to any
pass in quick on em0 from 10.0.0.0/24 to any
pass in quick on lo0
pass out quick on lo0
table <bruteforce> persist
pass log inet proto tcp from any to any port 22 flags S/SA keep state \
(max-src-conn 3, max-src-conn-rate 3/60, \
overload <bruteforce> flush global)
block in quick from <bruteforce>
e arquivo /etc/rc.conf:
#System
clear_tmp_enable="YES"
syslogd_flags="-ss"
hostname="test"
keymap="it.kbd"
sshd_enable="YES"
moused_nondefault_enable="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"
auditd_enable="YES"
#Network
ipv6_enable="NO"
ipv6_network_interfaces="none"
ipv6_activate_all_interfaces="NO"
ipv6_gateway_enable="NO"
ifconfig_em0="DHCP"
#Level 2 ISO/OSI: ipfw
firewall_enable="YES"
#Level 3 ISO/OSI: pf
firewall_enable="YES"
firewall_type="client"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
firewall_logif="YES"
# Jails
cbsd_workdir="/home/user/jails"
cbsdd_enable="YES"
O arquivo /etc/sysctl.conf:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
vfs.zfs.min_auto_ashift=12
#Network
net.inet6.ip6.enable=0
net.inet6.ip6.forwarding="0"
net.inet.ip.fw.verbose_limit=5
#Hardening
kern.securelevel="1"
hw.kbd.keymap_restrict_change="4" # disallow keymap changes for non-privileged users
kern.ipc.shm_use_phys="1" # lock shared memory into RAM and prevent it from being paged out to swap (default 0, disabled)
kern.msgbuf_show_timestamp="1" # display timestamp in msgbuf (default 0)
kern.randompid="1" # calculate PIDs by the modulus of the integer given, choose a random int (default 0)
net.inet.icmp.drop_redirect="1" # no redirected ICMP packets (default 0)
net.inet.ip.check_interface="1" # verify packet arrives on correct interface (default 0)
net.inet.ip.portrange.first="1024" # use ports 1024 to portrange.last for outgoing connections (default 10000)
net.inet.ip.portrange.randomcps="999" # use random port allocation if less than this many ports per second are allocated (default 10)
net.inet.ip.random_id="1" # assign a random IP id to each packet leaving the system (default 0)
net.inet.ip.redirect="0" # do not send IP redirects (default 1)
net.inet.tcp.always_keepalive="0" # disable tcp keep alive detection for dead peers, keepalive can be spoofed (default 1)
net.inet.tcp.blackhole="2" # drop tcp packets destined for closed ports (default 0)
net.inet.tcp.drop_synfin="1" # SYN/FIN packets get dropped on initial connection (default 0)
net.inet.tcp.ecn.enable="0" # Explicit Congestion Notification disabled unless proper active queue manageme
net.inet.tcp.fast_finwait2_recycle="1" # recycle FIN/WAIT states quickly, helps against DoS, but may cause false RST
net.inet.tcp.finwait2_timeout="5000" # TCP FIN_WAIT_2 timeout waiting for client FIN packet before state close (default 60000, 60 sec)
net.inet.tcp.icmp_may_rst="0" # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.keepinit="5000" # establish connection in five(5) seconds or abort attempt (default 75000, 75 secs)
net.inet.tcp.msl="2500" # Maximum Segment Lifetime, time the connection spends in TIME_WAIT state (default 30000, 2*MSL = 60 sec)
net.inet.tcp.nolocaltimewait="1" # remove TIME_WAIT states for the loopback interface (default 0)
net.inet.tcp.path_mtu_discovery="0" # disable MTU discovery since many hosts drop ICMP type 3 packets (default 1)
net.inet.tcp.rexmit_slop="70" # reduce the TCP retransmit timer, min+slop=100ms (default 200ms)
net.inet.udp.blackhole="1" # drop udp packets destined for closed sockets (default 0)
security.bsd.hardlink_check_gid="1" # unprivileged processes may not create hard links to files owned by other groups (default 0)
security.bsd.hardlink_check_uid="1" # unprivileged processes may not create hard links to files owned by other users (default 0)
security.bsd.see_other_gids="0" # groups only see their own processes. root can see all (default 1)
security.bsd.see_other_uids="0" # users only see their own processes. root can see all (default 1)
security.bsd.stack_guard_page="1" # stack smashing protection (SSP), ProPolice, defence against buffer overflows
security.bsd.unprivileged_proc_debug="0" # unprivileged processes may not use process debugging (default 1)
security.bsd.unprivileged_read_msgbuf="0" # unprivileged processes may not read the kernel message buffer (default 1)
Você poderia me ajudar a entender por que não consigo bloquear solicitações via força bruta e, portanto, vejo-as bloqueadas com doas pfctl -t bruteforce -T show?
Desde já, obrigado.
Modificando com
e testando fazendo
ssh -l foo 192.168.178.80 &4 vezes, funciona!