Firewall PF
Enable PF
To enable pf insert the following lines in your kernel configuration and compile the kernel:
# needed for new packetfilter pf
device pf # required
device pflog # optional
device pfsync # optional
# enable QoS from pf
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
#options ALTQ_NOPCC # Required for SMP build
Realtime logging
tcpdump -n -e -ttt -i pflog0
tcpdump -A -s 256 -n -e -ttt -i pflog0
View Ruleset
pfctl -sr
Block SSH-Bruteforce attacks
With Script
Install:
security/bruteforeceblocker (requires pf as the firewall)
or
security/denyhosts (uses tcp_wrappers and /etc/hosts.allow)
or
security/sshit (requires ipfw as firewall)
or http://www.pjkh.com/wiki/ssh_monitor
With pf
Enable pf in rc.conf:
# enable pf
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
Edit /etc/pf.conf:
ext_if = "em0"
set block-policy drop
# define table
table <ssh-bruteforce> persist file "/var/db/ssh-blacklist"
# block ssh known brute force
block log quick from <ssh-bruteforce>
# move brute force to block table
pass on $ext_if inet proto tcp from any to $ext_if port ssh keep state \\
(max-src-conn 10, max-src-conn-rate 5/60, overload <ssh-bruteforce> flush global)
Create the blacklist file:
touch /var/db/ssh-blacklist
chmod 644 /var/db/ssh-blacklist
Restart pf with:
/etc/rc.d/pf restart
/etc/rc.d/pflog restart
http://www.daemonsecurity.com/pub/src/tools/cc-cidr.pl
ALTQ
To reduce priority for traffic:
altq on $ext_if cbq bandwidth 10Mb queue { def, mostofmybandwidth, notalot }
queue def bandwidth 20% cbq(default borrow red)
queue mostofmybandwidth 77% cbq(default borrow red) { most_lowdelay, most_bulk }
queue most_lowdelay priority 7
queue most_bulk priority 7
queue notalot 3% cbq
[...]
block all
pass from $localnet to any port $allowedports keep state queue mostofmybandwidth
pass from $iptostarve to any port $allowedports keep state queue notalot
Example:
altq on $ext_if cbq bandwidth 100Kb queue { std, ssh }
queue std bandwidth 90% cbq(default)
queue ssh bandwidth 10% cbq(borrow red)
pass on $ext_if inet proto tcp from any to $ext_if port ssh keep state \
(max-src-conn 10, max-src-conn-rate 5/60, overload <ssh-bruteforce> flush global) \
queue ssh
pass out on $ext_if from any to any queue std
To see the live shaping:
pfctl -vvsq