# pf redirect, ssh forward + ssh blacklisting



## nikolajg (Dec 4, 2012)

Hi,

I'm in doubt about the argument of installing *sshd* on a firewall vs. security vulnerabilities with remote syslog, please see below:

1. pf redirect + ssh forward:
The server is in the dmz and exhibts: a web service, git and sftp.

I want to protect the web service using ssh tunnel - the web service has vulnerabilities.

I would like to redirect ssh traffic to the web server, instead of port forwarding from the firewall. This way I'll avoid installing ssh on the firewall (including users). Because of git and sftp, I need to install sshd on the server (in the dmz) anyway.

Question: is this the best setup - I mean, redirect ssh traffic to the server and do port forward to localhost on the server (and not the firewall), so that users can tunnel http using localhost (with some port) in their browser?

2. ssh blacklisting
I would like to blacklist hosts doing ssh attacks. Currently I'm looking at sshguard-pf and then use remote syslog to notify sshguard-pf (on the fw) about the attack. This way the attacker is allowed to the server (dmz) only on the first attempt - and blocked in the future by the firewall.

Question: all doc is warning about remote syslog. I would be happy to get some input.

Thanks.

PS the ssh port is moved and I'm using 1024 dsa keys with passphrase (going to compile ssh with kerberos). I'm using portsentry also.


----------



## SirDice (Dec 5, 2012)

A simple solution:

```
table <sshguard> persist

pass in on $ext_if proto tcp from any to any port 22
block in log quick on $ext_if from <sshguard> to any port 22 label "ssh bruteforce"
```


----------



## nikolajg (Dec 5, 2012)

Thanks for answering. Jeps to that rule, but should the rule be implemented in pf on the fw - or the server (which is also having pf). Stopping traffic on the "frontier" (the fw machine) is good, but it also gives some advantages on pf on the server - I mean, it is more likely that blockings on that pf instance is more serious. PS Im using overload in the ssh rdr rule on the fw i.e. remote sylog from the server to the fw wouldn't be overloaded either.


----------



## SirDice (Dec 5, 2012)

You're going to ssh into the firewall (and use port forwarding to 'hop' to the webserver). So the login failures will happen there.


----------



## bbzz (Dec 5, 2012)

There isn't the best way.
Personally I would port forward on firewall to webserver and create tunnel from server itself, rather than log into fw and create tunnel from there.

Also, sshguard doesn't work, I believe, against public key authentication. Sometimes people will try and "bruteforce" passwords even though it won't work, which still clogs your logs. So something that monitors number of tcp connects in a given time frame can be useful:


```
pass in quick on $ext_if tagged INTERNET_TO_SELF_SSH modulate state \
        (max-src-conn 10, max-src-conn-rate 3/20, overload <ssh_abuse> flush global)
```


----------



## nikolajg (Dec 6, 2012)

Ok, your'e both saying that I should port forward from the fw to the server (web).

That means a running sshd and adding users on the fw. I was trying to avoid ssh access - but ok, I can then avoid remote syslog from server to fw (in order to blacklist from auth.log).

Before installing the "real" fw box (with ext, dmz and lan) the server was connected directly to wan ip and running git and sftp using ssh tunnel.

Question: what about git and sftp on the server - should I use port forwarding or rdr? If using sftp, I need sshd on the server (also). Otherwise, I could install ftp and do forward from fw. Would be glad for comments.

PS bbzz, you're saying quote "ssguard doesn't work, I believe, against public key authentication" - jeps about overload rule (have that rule) - but I want to blacklist all bad login attempts in auth.log - I still see those despite using public key.


----------



## bbzz (Dec 6, 2012)

nikolajg said:
			
		

> Ok, your'e both saying that I should port forward from the fw to the server (web).
> 
> That means a running sshd and adding users on the fw. I was trying to avoid ssh access - but ok, I can then avoid remote syslog from server to fw (in order to blacklist from auth.log).



To make it clear - redirection on pf is what is traditionally a port forwarding on a FW - redirecting a connection to different ip/port. SSH port forwarding on the other hand is tunneling. 

Therefore, in a scope of this disccussion a port forward on FW means redirecting a connection request to web server. FW should just be a FW and not terminate a connection unless there's a specific reason to increase its complexity. Your webserver terminates ssh connection and creates a tunnel to itself. This way a FW doesn't need permission to initiate a connection to anywhere.
Also, if you intend to do queuing on FW, you'll notice it's easier this way.



> Before installing the "real" fw box (with ext, dmz and lan) the server was connected directly to wan ip and running git and sftp using ssh tunnel.
> 
> Question: what about git and sftp on the server - should I use port forwarding or rdr? If using sftp, I need sshd on the server (also). Otherwise, I could install ftp and do forward from fw. Would be glad for comments.



Again, *rdr* on FW and do the rest on DMZ server.



> PS bbzz, you're saying quote "ssguard doesn't work, I believe, against public key authentication" - jeps about overload rule (have that rule) - but I want to blacklist all bad login attempts in auth.log - I still see those despite using public key.



When I used it, I remember it didn't stop all attempts. Like I said some scanners/bruteforces are not smart enough to realize you only allow prublic/private key and will keep running trough its dictionary. I specifically remember one case which used to run for hours and it wasn't stopped. You could probably set it up to be noticed, but why bother. 
If you end up with just private/public keys, which you should, then simply monitoring number of TCP connects from an IP is enough.


----------



## kpa (Dec 6, 2012)

You might want to use stricter settings for sshguard, lower the safety threshold from example to 30 (the -a option), lenghten the minimum time a blocked attacker is blocked (the -p option) and also lenghthen the time sshguard remembers an attacker (the -s option). I had a very persistent knocker who managed to get past sshguard because has was sending his probe every 20 minutes and with the default settings sshguard forgets an attacker exactly after 20 minutes, the solution was to set the -s option to 2 hours so sshguard remembers the last attacks long enough to ban the attacker permanently when he goes over the blacklist limit.


----------



## nikolajg (Dec 14, 2012)

bbzz:
Sorry about the late answer. Thanks for defining the terminology - we (I) completely misunderstood. I'll use a traditional port forward (rdr in fw) i.e. terminate the ssh connection on the server. Remote syslog is working now and Im able to tail the log file (and read from a pipe).

kpa + bbzz:
Thanks. I couldn't make sshguard work (my fault somehow). Anyway, I would like to make my own pipe handler (cat syslog to mkfifo named pipe) and then do pfctl table udpate and blacklist file update. Later on Ill update a mysql db with attack and their type in order to get some statistics. Yes, the downside is checking potential new parse format on version update, but I'll check the cases anyway. PS are there other alternatives to sshguard, fail2ban and denyhosts.

Thanks.


----------

