在 FreeBSD 上,我尝试使用以下规则通过端口 22 上的 pf 阻止通过 ssh 进行的暴力破解尝试:
table <bruteforce> persist
pass log inet proto tcp from any to any port 22 flags S/SA keep state \
(max-src-conn 3, max-src-conn-rate 3/60, \
overload <bruteforce> flush global)
block in quick from <bruteforce>
我已经使用 上传了配置doas pfctl -f /etc/pf.conf
并使用 启用了 pf doas pfctl -e
。我正尝试从与配置防火墙的服务器不同的 PC 执行 SSH 暴力攻击(使用 SSH)。但是,当我doas pfctl -t bruteforce -T show
在服务器上运行该命令时,没有得到任何结果。暴力攻击正在使用以下命令运行:
hydra -l test -P word.txt 192.168.178.82 ssh
使用命令doas tcpdump -i em0 port 22
我可以看到请求。
文件/etc/pf.conf
配置如下:
set block-policy return
scrub in all fragment reassemble no-df max-mss 1440
nat on em0 from 10.0.0.0/24 to any -> (em0)
set skip on lo0
block in all
block out all
block in quick inet6 all
block out quick inet6 all
pass in quick proto tcp from 192.168.178.0/24 to any port 22 keep state
pass in quick proto tcp to any port 443 keep state
pass out quick proto tcp to any port 443 keep state
pass in quick proto tcp from 127.0.0.1 to 127.0.0.1 port 8080 keep state
pass out quick proto udp from any to any port 53
pass in quick proto udp from any to any port 53
pass out quick on epair1a
pass in quick on epair1a from em0 to any
pass in quick on em0 from 10.0.0.0/24 to any
pass in quick on lo0
pass out quick on lo0
table <bruteforce> persist
pass log inet proto tcp from any to any port 22 flags S/SA keep state \
(max-src-conn 3, max-src-conn-rate 3/60, \
overload <bruteforce> flush global)
block in quick from <bruteforce>
和文件 /etc/rc.conf:
#System
clear_tmp_enable="YES"
syslogd_flags="-ss"
hostname="test"
keymap="it.kbd"
sshd_enable="YES"
moused_nondefault_enable="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"
auditd_enable="YES"
#Network
ipv6_enable="NO"
ipv6_network_interfaces="none"
ipv6_activate_all_interfaces="NO"
ipv6_gateway_enable="NO"
ifconfig_em0="DHCP"
#Level 2 ISO/OSI: ipfw
firewall_enable="YES"
#Level 3 ISO/OSI: pf
firewall_enable="YES"
firewall_type="client"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
firewall_logif="YES"
# Jails
cbsd_workdir="/home/user/jails"
cbsdd_enable="YES"
文件 /etc/sysctl.conf:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
vfs.zfs.min_auto_ashift=12
#Network
net.inet6.ip6.enable=0
net.inet6.ip6.forwarding="0"
net.inet.ip.fw.verbose_limit=5
#Hardening
kern.securelevel="1"
hw.kbd.keymap_restrict_change="4" # disallow keymap changes for non-privileged users
kern.ipc.shm_use_phys="1" # lock shared memory into RAM and prevent it from being paged out to swap (default 0, disabled)
kern.msgbuf_show_timestamp="1" # display timestamp in msgbuf (default 0)
kern.randompid="1" # calculate PIDs by the modulus of the integer given, choose a random int (default 0)
net.inet.icmp.drop_redirect="1" # no redirected ICMP packets (default 0)
net.inet.ip.check_interface="1" # verify packet arrives on correct interface (default 0)
net.inet.ip.portrange.first="1024" # use ports 1024 to portrange.last for outgoing connections (default 10000)
net.inet.ip.portrange.randomcps="999" # use random port allocation if less than this many ports per second are allocated (default 10)
net.inet.ip.random_id="1" # assign a random IP id to each packet leaving the system (default 0)
net.inet.ip.redirect="0" # do not send IP redirects (default 1)
net.inet.tcp.always_keepalive="0" # disable tcp keep alive detection for dead peers, keepalive can be spoofed (default 1)
net.inet.tcp.blackhole="2" # drop tcp packets destined for closed ports (default 0)
net.inet.tcp.drop_synfin="1" # SYN/FIN packets get dropped on initial connection (default 0)
net.inet.tcp.ecn.enable="0" # Explicit Congestion Notification disabled unless proper active queue manageme
net.inet.tcp.fast_finwait2_recycle="1" # recycle FIN/WAIT states quickly, helps against DoS, but may cause false RST
net.inet.tcp.finwait2_timeout="5000" # TCP FIN_WAIT_2 timeout waiting for client FIN packet before state close (default 60000, 60 sec)
net.inet.tcp.icmp_may_rst="0" # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.keepinit="5000" # establish connection in five(5) seconds or abort attempt (default 75000, 75 secs)
net.inet.tcp.msl="2500" # Maximum Segment Lifetime, time the connection spends in TIME_WAIT state (default 30000, 2*MSL = 60 sec)
net.inet.tcp.nolocaltimewait="1" # remove TIME_WAIT states for the loopback interface (default 0)
net.inet.tcp.path_mtu_discovery="0" # disable MTU discovery since many hosts drop ICMP type 3 packets (default 1)
net.inet.tcp.rexmit_slop="70" # reduce the TCP retransmit timer, min+slop=100ms (default 200ms)
net.inet.udp.blackhole="1" # drop udp packets destined for closed sockets (default 0)
security.bsd.hardlink_check_gid="1" # unprivileged processes may not create hard links to files owned by other groups (default 0)
security.bsd.hardlink_check_uid="1" # unprivileged processes may not create hard links to files owned by other users (default 0)
security.bsd.see_other_gids="0" # groups only see their own processes. root can see all (default 1)
security.bsd.see_other_uids="0" # users only see their own processes. root can see all (default 1)
security.bsd.stack_guard_page="1" # stack smashing protection (SSP), ProPolice, defence against buffer overflows
security.bsd.unprivileged_proc_debug="0" # unprivileged processes may not use process debugging (default 1)
security.bsd.unprivileged_read_msgbuf="0" # unprivileged processes may not read the kernel message buffer (default 1)
你能帮助我理解为什么我无法通过暴力破解来阻止请求,因此看到它们被阻止了吗doas pfctl -t bruteforce -T show
?
提前致谢。
修改
并测试了
ssh -l foo 192.168.178.80 &
4次,成功了!