# Is this a good setup?



## henrixd (May 31, 2012)

Hi

Can you tell me your opinion? *S*omething good? *O*r bad? *T*oo much? *D*id I miss something? *S*omething doesn't make sense? I'm not having my best week.

pf.conf

```
set block-policy drop
set skip on lo0

## packet normalization
scrub     on $ext_if all reassemble tcp
scrub in  on $ext_if all fragment drop-ovl
scrub out on $ext_if all random-id fragment reassemble

## abusive hosts
table <abusive> persist file "/var/db/pf/abusive"

## redirect spamd hosts
table <spamd> persist
rdr pass inet proto tcp from <spamd> port 1024:65535 to ($ext_if:0) \
        port smtp -> 127.0.0.1 port spamd

## default block
block in log
block out log

## block abusive hosts
block in quick from <abusive>

## no spoofed adresses
antispoof quick for { lo0, $ext_if }

## public services
pass in on $ext_if inet proto tcp from any port 1024:65535 \
        to ($ext_if:0) port { 25, 80, 443 } flags S/SA synproxy state \
 (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive> flush global)

## sshd
pass in on $ext_if inet proto tcp from any port 1024:65535 \
        to ($ext_if:0) port 22 flags S/SA synproxy state \
 (max-src-conn 15, max-src-conn-rate 5/3, overload <abusive> flush global)

## allow ping in / out
pass in inet proto icmp all icmp-type echoreq
pass out inet proto icmp all icmp-type echoreq

# allow dns queries
pass out on $ext_if inet proto udp from ($ext_if:0) port 1024:65535 \
        to any port 53 keep state

# smtp
pass out on $ext_if inet proto tcp from ($ext_if:0) port 1024:65535 \
        to any port 25 flags S/SA keep state

# let spamd-setup update blacklist
pass out on $ext_if inet proto tcp from ($ext_if:0) port 1024:65535 \
        to any port { spamd, spamd-cfg, spamd-sync } flags S/SA keep state

# dyndns
pass out on $ext_if inet proto tcp from ($ext_if:0) port 1024:65535 \
        to xxx.xxx.xxx.xxx port 80 flags S/SA keep state
```

root crontab

check ssh violations from auth.log
keep copy of abusive table on disk for reboots
records in abusive table expire in 24h


```
*/5     *       *       *       *       /root/bin/ssh_violations.sh
*/5     *       *       *       *       /sbin/pfctl -t abusive -Ts > /var/db/pf/abusive
@reboot /sbin/pfctl -t abusive -Te 86400
```

ssh_violations.sh

3 invalid user errors in auth log and you are in abusive hosts table
max-src-conn-rate will catch most of the scans, but this is just backup (*I* hate them)


```
cat /var/log/auth.log | egrep 'Invalid user [A-z0-9\-\_]+ from [0-9\.]+$' | awk '{print $10}' | uniq -c | \
( while read num ip; do
                if [ ${num} -gt 3 ]; then
                        pfctl -t abusive -T add ${ip} > /dev/null 2>&1
                fi
        done
)
```


----------



## SirDice (Jun 1, 2012)

henrixd said:
			
		

> ```
> # allow dns queries
> pass out on $ext_if inet proto udp from ($ext_if:0) port 1024:65535 \
> to any port 53 keep state
> ```


You also need to allow TCP/53. Not all queries are done using UDP, if the query doesn't fit it'll use TCP. Which would currently fail.

Instead of using your own ssh_violations.sh script I highly recommend security/sshguard-pf.


----------



## henrixd (Jun 1, 2012)

> You also need to allow TCP/53. Not all queries are done using UDP, if the query doesn't fit it'll use TCP. Which would currently fail.



Thank you! This is exactly what I was looking for.



> Instead of using your own ssh_violations.sh script I highly recommend security/sshguard-pf.



This too, I'm actually positively surprised how well it works.

Back to bombing my server with hydra.


----------

